10-21-2004 05:32 AM
hi,
I have a pix 520 running version 5.3 and the peer is a checkpoint NG.
I've downloaded the PDF document from cisco "configuring an ipsec tunnet between a cisco secure pix firewall and a checkpoint ng firewall".
everything was working fine but the guys behind the checkpoint were getting disconnected sometimes so we decided to put the security-association lifetime to 86400, that's 1 day and the crypto ipsec transform-set pixset esp-des esp-sha-hmac
it worked great for 2 weeks but now they're getting disconnected and when this happens from what I've been told they can't reconnect again for about 10 minutes. (maybe the sadb getts cleared within 10 minutes??)
when I look in my log file I have this lines for that 10 minutes period, not just 1 but few..
%PIX-4-402101: decaps: rec'd IPSEC packet has invalid spi for destaddr=(my ip goes here) prot=esp, spi=0xdc525529(0)
I've done some reasearch and on cisco.com they say it's probably a syncronisation problem between the 2 peers.
can it be related to the time on both end? if on my pix I have ex: 14:30:50 (time) and NG 14:30:05 will this cause a problem?
can it be my pix software version? I have 5.3 and we're at 6.3 (I'm going to update it soon but can it be the cause) ?
has anyone had this problem and actually solved it??
thank you.
01-06-2005 07:50 PM
Hi, did you ever resolve the issue above? We appear to be having a similar issue with a pix 515 6.3(1) and a checkpoint NG.
I would be grateful for any info you have.
thanks
Trevor
01-07-2005 05:05 AM
hi,
well the client had 2 checkpoints each with it's own admin from 2 differents places.
my site-to-site works greant with the first checkpoint configured by the 1st admin but not the second checkpoint configured by the second admin.
unfortunatly I don't know how checkpoint works so I'm unable to say what admin 1 has done to make its checkpoint work.
but at least now the client knows that it is not related to my configs or my pix.
good luck.
use the
debug crypto ipsec
debug crypto isakmp
I think this is the command not sure ... but look under debug.
it helped me alot
05-17-2005 12:45 AM
hi there,
We are getting those pesky error:
decaps: rec'd IPSEC packet has invalid spi.
Did you manage to find a permanent solution ?
The only way i know is to manually type the command:
clear crypto isakmp sa
Hope to hear from you soon.
TQ
Discover and save your favorite ideas. Come back to expert answers, step-by-step guides, recent topics, and more.
New here? Get started with these tips. How to use Community New member guide