Buy or Renew
Buy or Renew
cancel
Turn on suggestions
Auto-suggest helps you quickly narrow down your search results by suggesting possible matches as you type.
Showing results for 
Search instead for 
Did you mean: 
cancel
Start a conversation
1032
Views
0
Helpful
3
Replies

VTI tunnel problem

Harutyun Hakobyan
Level 1
Level 1

‎04-16-2013 06:05 AM

Hi all,

We have VTI tunnels between Cisco (3825 and 878) and Juniper (SRX3600).

Sometimes tunnel is going down and I should manualy shutdown and no shutdown tunnel interface to bring it up.

This is logs from Cisco:

%%crypto-4-recvd_pkt_inv_spi: decaps: rec'd ipsec packet has invalid spi for destaddr=X.Y.100.200, prot=50, spi=0xc5d07a33(3318774323), srcaddr=X.Y.100.100

%%crypto-4-ikmp_no_sa: ike message from X.Y.100.100 has no sa and is not an initialization offer

X.Y.100.100 is Juniper SRX3600

X.Y.100.200 is Cisco 3825

But I see this logs more often, than tunnel is going down!

So what is problem?

Thanks

Labels:
0 Helpful
3 Replies 3

blau grana
Level 7
Level 7

‎04-16-2013 06:11 AM

Hello,

this should help #crypto           isakmp invalid-spi-recovery

http://www.cisco.com/en/US/tech/tk583/tk372/technologies_tech_note09186a0080bf6100.shtml

Best Regards

Please rate all helpful posts and close solved questions

Best Regards Please rate all helpful posts and close solved questions
0 Helpful

Harutyun Hakobyan
Level 1
Level 1
In response to blau grana

‎04-25-2013 06:19 AM

Thanks for reply,

I added crypto isakmp invalid-spi-recovery on Cisco 3825, but tunnel interface still is going down.

0 Helpful

Rudy Sanjoko
Level 4
Level 4
In response to Harutyun Hakobyan

‎04-29-2013 01:13 AM

make sure your phase 1 and 2 parameters are matching on both ends, try to disable the pfs if you have it enabled, try to enable the keepalive, see if these can help.

0 Helpful
Customers Also Viewed These Support Documents