Buy or Renew
Buy or Renew
Duo Security forums now LIVE! Get answers to all your Duo Security questions. Learn more
cancel
Turn on suggestions
Auto-suggest helps you quickly narrow down your search results by suggesting possible matches as you type.
Showing results for 
Search instead for 
Did you mean: 
cancel
Start a conversation
617
Views
5
Helpful
3
Replies

Problems with VPN through 28xx router (CRYPTO-4-RECVD_PKT_INV_SPI)

obrenes
Level 1
Level 1

‎01-15-2007 11:45 AM - edited ‎02-21-2020 02:48 PM

Hi everyone,

I have a VPN tunnel between a Cisco VPN client 4.8.01.0300 and a VPN concentrator 4.1.7.P. When I have a 25xx or 26xx router in the middle of the tunnel everything works just fine. This router is not involved or related in any way with the VPN tunnel. He?s just routing packets between the 2 VPN peers.

When a have a 28xx router with an advanced-security IOS image the negotiation of the tunnel succeeded but traffic is unable to cross the tunnel.

In the 28xx router console, I get the following error:

%CRYPTO-4-RECVD_PKT_INV_SPI: decaps: rec'd IPSEC packet has invalid spi ?

It seems that the router is checking every IPsec packet even though it?s not a peer of the VPN tunnel.

I checked the ?Cisco Error Message Decoder? tool and found the following:

?An IPSec packet was received that specified an SPI that does not exist in the SADB?

Once again, this router is not related in any way to the VPN tunnel, that?s why the SPI is not in his SADB.

Is there any way to avoid this checking procedure?? Or any other way to fix this situation??

Thanks in advance.

Omar.

Labels:
0 Helpful
3 Replies 3

5220
Level 4
Level 4

‎01-15-2007 11:42 PM

Hi Omar,

If 28xx is configured for remote access, try to remove the lines.

If not, enable NAT transparency on the Concentrator and VPN Client, and permit port 4500 UDP and 500 UDP through the 28xx.

Please rate if this helped.

Regards,

Daniel

obrenes
Level 1
Level 1
In response to 5220

‎01-22-2007 09:12 AM

Hi Daniel, thanks for the reply. I don?t know why I didn?t get an email notifying me about it.

The 28xx is not configured for remote access.

I?m going to enable the NAT transparency in the communication. I will get back to you as soon as I test it.

0 Helpful

obrenes
Level 1
Level 1
In response to 5220

‎02-15-2007 01:36 PM

Daniel,

Thank you for your help. The problem was solved using IPSec/TCP.

The Cisco IPSec/UDP did not work and I didn't tried using NAT transparency (design requirements).

Regards,

Omar

0 Helpful
Getting Started

Find answers to your questions by entering keywords or phrases in the Search bar above. New here? Use these resources to familiarize yourself with the community:

Customers Also Viewed These Support Documents