IPSec SPI

Mike Hammett nanog at ics-il.net
Wed Dec 20 03:03:10 CST 2017


Is it possible for light packet loss (0.1% - 0.3%) to cause these errors: 

Dec 18 00:12:07.098: %CRYPTO-4-RECVD_PKT_INV_SPI: decaps: rec'd IPSEC packet has invalid spi for destaddr=Z.Z.Z.Z, prot=50, spi=0x9E6D41B7(2657960375), srcaddr=B.B.B.B, input interface=GigabitEthernet0/2 
Dec 18 00:20:47.848: %CRYPTO-4-RECVD_PKT_INV_SPI: decaps: rec'd IPSEC packet has invalid spi for destaddr= Z.Z.Z.Z , prot=50, spi=0x430A8C9C(1124764828), srcaddr=A.A.A.A, input interface=GigabitEthernet0/2 
Dec 18 00:28:39.781: %CRYPTO-4-RECVD_PKT_INV_SPI: decaps: rec'd IPSEC packet has invalid spi for destaddr= Z.Z.Z.Z , prot=50, spi=0x8716502A(2266386474), srcaddr=A.A.A.A, input interface=GigabitEthernet0/2 


I look it up and none of the pages I find say anything about connection quality and everything about configuration and timing. 

My client is insisting that it can't possibly be their problem and that it's entirely because of the packet loss. 






----- 
Mike Hammett 
Intelligent Computing Solutions 
http://www.ics-il.com 

Midwest-IX 
http://www.midwest-ix.com 


More information about the NANOG mailing list