Solved: "rec'd IPSEC packet has invalid spi" errors in VPN connections

Stephan90 · ‎09-13-2018

I have a simple network of a few Cisco routers. Once in a while I'm seeing a "%CRYPTO-4-RECVD_PKT_INV_SPI: decaps: rec'd IPSEC packet has invalid spi" error, even though my VPN connection works well.

What can cause these messages?

Andrew_Larson · ‎09-13-2018

The meaning of the message is that one side of the IPSEC tunnel received a packet with an invalid SPI. The SPI (Security Parameter Index) is used to identify the SA (Security Association) of the packet - which contains the information needed to handle the encrypted traffic. Usually, this message indicates that the SAs of the the peers are out of sync, which happens sometimes when the SA ages out and is reestablished.

To manually force the SAs to sync, issue the "clear crypto isakmp" and "clear crypto sa" commands. In addition, you can add the command "crypto isakmp invalid-spi-recovery" to the global configuration of the routes. This will make the routers notify one another when receiving this error - which should start the syncing process automatically.

View solution in original post

Rob Ingram · ‎09-13-2018

Hi,

Sometimes IPsec SAs can become out of sync between the peer devices. This link may help provide some back and hopefully a resolution.

HTH

Andrew_Larson · ‎09-13-2018

The meaning of the message is that one side of the IPSEC tunnel received a packet with an invalid SPI. The SPI (Security Parameter Index) is used to identify the SA (Security Association) of the packet - which contains the information needed to handle the encrypted traffic. Usually, this message indicates that the SAs of the the peers are out of sync, which happens sometimes when the SA ages out and is reestablished.

To manually force the SAs to sync, issue the "clear crypto isakmp" and "clear crypto sa" commands. In addition, you can add the command "crypto isakmp invalid-spi-recovery" to the global configuration of the routes. This will make the routers notify one another when receiving this error - which should start the syncing process automatically.

Stephan90 · ‎09-13-2018

Great answer. Thank you!

anthony malpass · ‎09-01-2022

Hi Andrew,

does this have to be enabled both ends. Also if i enable it will have any affect on live VPN's

krisv1 · ‎01-23-2023

Logged in just to upvote this response. Solved my issue right away

jorgeldd · ‎08-13-2023

I HAD THIS SAME PROBLEM AFTER THE TUNNEL´S PHYSICAL INTERFACE WAS DOWN, HERE WHAT I SAW:

H1#SH DMVPN
==========================================================================

Interface: Tunnel0, IPv4 NHRP Details
Type:Hub, NHRP Peers:1,

# Ent Peer NBMA Addr Peer Tunnel Add State UpDn Tm Attrb
----- --------------- --------------- ----- -------- -----
2 192.168.0.12 172.21.1.12 UP 00:00:44 D
0 UNKNOWN 172.21.1.13 NHRP never IX

*Aug 13 18:49:00.775: %CRYPTO-4-RECVD_PKT_INV_SPI: decaps: rec'd IPSEC packet has invalid spi for destaddr=192.168.0.11, prot=50, spi=0x2ABA425E(716849758), srcaddr=192.168.0.14, input interface=Ethernet0/0
i issued the command crypto isakmp invalid-spi-recovery in both hub and spoke router but that doesnt raised the tunnel.

the solution that was succeful was clearing the crypto sessions in spokes routers. after this i saw:

*Aug 13 18:49:58.608: %CRYPTO-4-IKMP_NO_SA: IKE message from 192.168.0.14 has no SA and is not an initialization offer
H1#sh dmvpn
==========================================================================

Interface: Tunnel0, IPv4 NHRP Details
Type:Hub, NHRP Peers:3,

# Ent Peer NBMA Addr Peer Tunnel Add State UpDn Tm Attrb
----- --------------- --------------- ----- -------- -----
1 192.168.0.12 172.21.1.12 UP 00:03:30 D
1 192.168.0.13 172.21.1.13 UP 00:01:28 D
1 192.168.0.14 172.21.1.14 UP 00:00:03 D

but is there any solution for coming up the tunnels whithout clearing crypto sessions, that´s why i have a flapping fiber connection in the hub, and it is not going to be troubleshooting yet. any suggestion?