Buy or Renew
Buy or Renew
cancel
Turn on suggestions
Auto-suggest helps you quickly narrow down your search results by suggesting possible matches as you type.
Showing results for 
Search instead for 
Did you mean: 
cancel
Start a conversation
3546
Views
10
Helpful
7
Replies

Several CRYPTO-4-RECVD_PKT_INV_SPI messages from unknown source ip's

Go to solution
mttciscoadmin
Level 1
Level 1

‎08-02-2018 07:35 AM

Hello,

I am currently experiencing an issue with this message showing up in my syslog for several of my 7206VXR's they are running 12.1(14)E6. 

 

Aug  2 10:20:16 router 400: Aug  2 10:20:15: %CRYPTO-4-RECVD_PKT_INV_SPI: decaps: rec'd IPSEC packet has invalid spi for destaddr=x.x.x.x, prot=17, spi=0x112233(1122867), srcaddr=83.143.246.30
Aug  2 10:21:31 router 47491: Aug  2 10:21:30: %CRYPTO-4-RECVD_PKT_INV_SPI: decaps: rec'd IPSEC packet has invalid spi for destaddr=x.x.x.x, prot=17, spi=0x112233(1122867), srcaddr=185.183.105.18

We are not running any remote access or site-to-site ipsec tunnels. The only thing that is being used that involves ipsec is our ipv6 ospf authenticates using ipsec. I have searched everywhere for a solution but cannot figure out how to prevent these ip's from triggering these alerts. I do not want to block the individual ip's as these attacks almost always seem to come from different ip's and different ranges.

Any help is greatly appreciated!

1 person had this problem
Labels:
0 Helpful
1 Accepted Solution

Accepted Solutions

Go to solution
Rob Ingram
VIP
VIP
In response to mttciscoadmin

‎08-02-2018 08:14 AM

Ok, you could create the ACL to deny to the router itself (the dest address in the errror message) and permit the rest, therefore VPN tunnels going through the router should be un-affected.

View solution in original post

7 Replies 7

Go to solution
Rob Ingram
VIP
VIP

‎08-02-2018 07:46 AM

Hi,
If you aren't running any VPN's on that router, then you could try "no crypto isakmp enable" this would disable IKE.

Alternatively you could create an ACL and apply to your external (internet facing) interface, denying udp/500. udp/4500, esp and permit all else. That should deny any device attempting to establish a VPN tunnel and therefore hopefully prevent those messages also.



HTH
0 Helpful

Go to solution
mttciscoadmin
Level 1
Level 1
In response to Rob Ingram

‎08-02-2018 07:58 AM

Thanks for the quick response! Would disabling crypto isakmp interfere with the ipv6 ospf ipsec authentication?

0 Helpful

Go to solution
Rob Ingram
VIP
VIP
In response to mttciscoadmin

‎08-02-2018 08:06 AM

I've not personally implemented IPv6 with ipsec authentication, I've had a quick read and possibly yes it might. I have no way to check, but I'd err on the side of caution and not use "no crypto isakmp enable" without testing first. If you don't use that then apply the ACL....I assume you aren't forming an ospf adjacency over the external interface?

HTH

Go to solution
mttciscoadmin
Level 1
Level 1
In response to Rob Ingram

‎08-02-2018 08:10 AM

Yes it was already enabled, the ospf works with our other local router but I do not want to block ipsec traffic completely as there are most definitely valid ipsec traffic passing through public side of the router. I would hopefully like to just block ipsec to the router itself without needing to block UDP 500 and 4500 to each individual ip programmed on each router

0 Helpful

Go to solution
Rob Ingram
VIP
VIP
In response to mttciscoadmin

‎08-02-2018 08:14 AM

Ok, you could create the ACL to deny to the router itself (the dest address in the errror message) and permit the rest, therefore VPN tunnels going through the router should be un-affected.

Go to solution
mttciscoadmin
Level 1
Level 1
In response to Rob Ingram

‎08-02-2018 08:19 AM

I will give that a try thank you for your help!

0 Helpful

Go to solution
mttciscoadmin
Level 1
Level 1
In response to Rob Ingram

‎08-02-2018 08:00 AM

Actually my apologies I just checked and I already have 'no crypto isakmp enable' set in the router yet the messages still show up
0 Helpful
Customers Also Viewed These Support Documents