Solved: Several CRYPTO-4-RECVD_PKT_INV_SPI messages from unknown source ip's

mttciscoadmin · ‎08-02-2018

Hello,

I am currently experiencing an issue with this message showing up in my syslog for several of my 7206VXR's they are running 12.1(14)E6.

Aug  2 10:20:16 router 400: Aug  2 10:20:15: %CRYPTO-4-RECVD_PKT_INV_SPI: decaps: rec'd IPSEC packet has invalid spi for destaddr=x.x.x.x, prot=17, spi=0x112233(1122867), srcaddr=83.143.246.30
Aug  2 10:21:31 router 47491: Aug  2 10:21:30: %CRYPTO-4-RECVD_PKT_INV_SPI: decaps: rec'd IPSEC packet has invalid spi for destaddr=x.x.x.x, prot=17, spi=0x112233(1122867), srcaddr=185.183.105.18

We are not running any remote access or site-to-site ipsec tunnels. The only thing that is being used that involves ipsec is our ipv6 ospf authenticates using ipsec. I have searched everywhere for a solution but cannot figure out how to prevent these ip's from triggering these alerts. I do not want to block the individual ip's as these attacks almost always seem to come from different ip's and different ranges.

Any help is greatly appreciated!

Rob Ingram · ‎08-02-2018

Ok, you could create the ACL to deny to the router itself (the dest address in the errror message) and permit the rest, therefore VPN tunnels going through the router should be un-affected.

View solution in original post

Rob Ingram · ‎08-02-2018

Hi,
If you aren't running any VPN's on that router, then you could try "no crypto isakmp enable" this would disable IKE.

Alternatively you could create an ACL and apply to your external (internet facing) interface, denying udp/500. udp/4500, esp and permit all else. That should deny any device attempting to establish a VPN tunnel and therefore hopefully prevent those messages also.

HTH

mttciscoadmin · ‎08-02-2018

Thanks for the quick response! Would disabling crypto isakmp interfere with the ipv6 ospf ipsec authentication?

Rob Ingram · ‎08-02-2018

I've not personally implemented IPv6 with ipsec authentication, I've had a quick read and possibly yes it might. I have no way to check, but I'd err on the side of caution and not use "no crypto isakmp enable" without testing first. If you don't use that then apply the ACL....I assume you aren't forming an ospf adjacency over the external interface?

HTH

mttciscoadmin · ‎08-02-2018

Yes it was already enabled, the ospf works with our other local router but I do not want to block ipsec traffic completely as there are most definitely valid ipsec traffic passing through public side of the router. I would hopefully like to just block ipsec to the router itself without needing to block UDP 500 and 4500 to each individual ip programmed on each router

Rob Ingram · ‎08-02-2018

Ok, you could create the ACL to deny to the router itself (the dest address in the errror message) and permit the rest, therefore VPN tunnels going through the router should be un-affected.

mttciscoadmin · ‎08-02-2018

I will give that a try thank you for your help!

mttciscoadmin · ‎08-02-2018

Actually my apologies I just checked and I already have 'no crypto isakmp enable' set in the router yet the messages still show up