We have a site to site VPN that has been working for years. Suddently this week, after i found the below syslog warning and i check the link. It is up and operatioanl;however, the show cryp isak sa shows a huge mount of establish tunnels(qm_idle)... 48 in total. The clear crypto isak sa does not do anything berter, enither is a reboot. Has anyone ever run into this issue? Cisco doc and google mention IOS bugs, buty both end of the tunnel have been working just fine for the last 4 years or so.
sh crypto isakmp sa cou
Active ISAKMP SA's: 48
Standby ISAKMP SA's: 0
Currently being negotiated ISAKMP SA's: 0
Dead ISAKMP SA's: 2
Warning >>> From Syslog server
361: 000322: * decaps: rec'd IPSEC packet has invalid spi for destaddr=1x.1xx.9.x prot=50, spi=0x1D64B6D6(493139670), srcaddr=12.1x.xx.xx
That error message might appear during rekey as the old SPI might still be used while the new one has been sent by the peer, or vice versa. Do you actually have any issue with the tunnel, or you are just concern about the error messages?
Thanks for the reply.... In fact google did help understand the error message what i am trying to understand is what i have 48 active ISAKMP Sa( 48 QM_IDLE when i do show crypto isamkp sa). Usually it's one QM_IDLE when the tunnel is establish.
Thanks Jen... Yeah, few docs that i consulted says that. However, in my case the clear crypto isakmp does not do much. When issued the commands all the SA went MM_NO_STATE and all the 48 of them came back to QM_IDLE again. I even reloaded both ends of the Tunnel!
Even though traffic isn't affected at the moment, but i am still concern out it. Some docs do mention possible of CPU load in near fiture!