IPSec SPI
Mike Hammett
nanog at ics-il.net
Wed Dec 20 03:03:10 UTC 2017
Is it possible for light packet loss (0.1% - 0.3%) to cause these errors:
Dec 18 00:12:07.098: %CRYPTO-4-RECVD_PKT_INV_SPI: decaps: rec'd IPSEC packet has invalid spi for destaddr=Z.Z.Z.Z, prot=50, spi=0x9E6D41B7(2657960375), srcaddr=B.B.B.B, input interface=GigabitEthernet0/2
Dec 18 00:20:47.848: %CRYPTO-4-RECVD_PKT_INV_SPI: decaps: rec'd IPSEC packet has invalid spi for destaddr= Z.Z.Z.Z , prot=50, spi=0x430A8C9C(1124764828), srcaddr=A.A.A.A, input interface=GigabitEthernet0/2
Dec 18 00:28:39.781: %CRYPTO-4-RECVD_PKT_INV_SPI: decaps: rec'd IPSEC packet has invalid spi for destaddr= Z.Z.Z.Z , prot=50, spi=0x8716502A(2266386474), srcaddr=A.A.A.A, input interface=GigabitEthernet0/2
I look it up and none of the pages I find say anything about connection quality and everything about configuration and timing.
My client is insisting that it can't possibly be their problem and that it's entirely because of the packet loss.
-----
Mike Hammett
Intelligent Computing Solutions
http://www.ics-il.com
Midwest-IX
http://www.midwest-ix.com
More information about the NANOG
mailing list