IPSec SPI
Mike Hammett
nanog at ics-il.net
Wed Dec 20 03:09:10 UTC 2017
Note: I'm working on figuring out the cause of the packet loss regardless of their position. I would just like them to solve their problem if it isn't me.
-----
Mike Hammett
Intelligent Computing Solutions
http://www.ics-il.com
Midwest-IX
http://www.midwest-ix.com
----- Original Message -----
From: "Mike Hammett" <nanog at ics-il.net>
To: "NANOG list" <nanog at nanog.org>
Sent: Tuesday, December 19, 2017 9:03:10 PM
Subject: IPSec SPI
Is it possible for light packet loss (0.1% - 0.3%) to cause these errors:
Dec 18 00:12:07.098: %CRYPTO-4-RECVD_PKT_INV_SPI: decaps: rec'd IPSEC packet has invalid spi for destaddr=Z.Z.Z.Z, prot=50, spi=0x9E6D41B7(2657960375), srcaddr=B.B.B.B, input interface=GigabitEthernet0/2
Dec 18 00:20:47.848: %CRYPTO-4-RECVD_PKT_INV_SPI: decaps: rec'd IPSEC packet has invalid spi for destaddr= Z.Z.Z.Z , prot=50, spi=0x430A8C9C(1124764828), srcaddr=A.A.A.A, input interface=GigabitEthernet0/2
Dec 18 00:28:39.781: %CRYPTO-4-RECVD_PKT_INV_SPI: decaps: rec'd IPSEC packet has invalid spi for destaddr= Z.Z.Z.Z , prot=50, spi=0x8716502A(2266386474), srcaddr=A.A.A.A, input interface=GigabitEthernet0/2
I look it up and none of the pages I find say anything about connection quality and everything about configuration and timing.
My client is insisting that it can't possibly be their problem and that it's entirely because of the packet loss.
-----
Mike Hammett
Intelligent Computing Solutions
http://www.ics-il.com
Midwest-IX
http://www.midwest-ix.com
More information about the NANOG
mailing list