<div dir="ltr">Frank-<div><br></div><div>I'll contact you directly about this. </div></div><br><div class="gmail_quote"><div dir="ltr" class="gmail_attr">On Fri, Dec 18, 2020 at 1:20 PM Frank Bulk <<a href="mailto:frnkblk@iname.com">frnkblk@iname.com</a>> wrote:<br></div><blockquote class="gmail_quote" style="margin:0px 0px 0px 0.8ex;border-left:1px solid rgb(204,204,204);padding-left:1ex">Curious if someone can point me in the right direction. In the last three<br>
days our core router (Cisco 7609) has logged the following events:<br>
<br>
Dec 16 19:04:59.027 CST: %CRYPTO-4-RECVD_PKT_INV_SPI: decaps: rec'd IPSEC<br>
packet has invalid spi for destaddr=<redacted>, prot=50,<br>
spi=0xEF7ED795(4018067349), srcaddr=68.180.160.18, input interface=Vlan20<br>
Dec 16 20:41:47.822 CST: %CRYPTO-4-RECVD_PKT_INV_SPI: decaps: rec'd IPSEC<br>
packet has invalid spi for destaddr=<redacted>, prot=50,<br>
spi=0xEF7ED795(4018067349), srcaddr=203.84.212.18, input interface=Vlan20<br>
Dec 16 21:28:12.667 CST: %CRYPTO-4-RECVD_PKT_INV_SPI: decaps: rec'd IPSEC<br>
packet has invalid spi for destaddr=<redacted>, prot=50,<br>
spi=0xEF7ED795(4018067349), srcaddr=68.180.160.36, input interface=Vlan21<br>
Dec 16 22:22:40.558 CST: %CRYPTO-4-RECVD_PKT_INV_SPI: decaps: rec'd IPSEC<br>
packet has invalid spi for destaddr=<redacted>, prot=50,<br>
spi=0xEF7ED795(4018067349), srcaddr=68.180.160.104, input interface=Vlan21<br>
Dec 16 22:42:17.404 CST: %CRYPTO-4-RECVD_PKT_INV_SPI: decaps: rec'd IPSEC<br>
packet has invalid spi for destaddr=<redacted>, prot=50,<br>
spi=0xEF7ED795(4018067349), srcaddr=68.180.160.104, input interface=Vlan20<br>
Dec 17 00:04:34.704 CST: %CRYPTO-4-RECVD_PKT_INV_SPI: decaps: rec'd IPSEC<br>
packet has invalid spi for destaddr=<redacted>, prot=50,<br>
spi=0xEF7ED795(4018067349), srcaddr=68.180.160.34, input interface=Vlan21<br>
Dec 17 00:05:41.656 CST: %CRYPTO-4-RECVD_PKT_INV_SPI: decaps: rec'd IPSEC<br>
packet has invalid spi for destaddr=<redacted>, prot=50,<br>
spi=0xEF7ED795(4018067349), srcaddr=68.180.160.103, input interface=Vlan20<br>
Dec 17 08:54:29.583 CST: %CRYPTO-4-RECVD_PKT_INV_SPI: decaps: rec'd IPSEC<br>
packet has invalid spi for destaddr=<redacted>, prot=50,<br>
spi=0x4CF4BE5D(1291107933), srcaddr=68.180.160.104, input interface=Vlan21<br>
Dec 17 09:20:31.881 CST: %CRYPTO-4-RECVD_PKT_INV_SPI: decaps: rec'd IPSEC<br>
packet has invalid spi for destaddr=<redacted>, prot=50,<br>
spi=0x4CF4BE5D(1291107933), srcaddr=68.180.160.37, input interface=Vlan21<br>
Dec 17 19:45:29.615 CST: %CRYPTO-4-RECVD_PKT_INV_SPI: decaps: rec'd IPSEC<br>
packet has invalid spi for destaddr=<redacted>, prot=50,<br>
spi=0x4CF4BE5D(1291107933), srcaddr=203.84.212.36, input interface=Vlan20<br>
Dec 17 19:59:52.663 CST: %CRYPTO-4-RECVD_PKT_INV_SPI: decaps: rec'd IPSEC<br>
packet has invalid spi for destaddr=<redacted>, prot=50,<br>
spi=0x4CF4BE5D(1291107933), srcaddr=203.84.212.24, input interface=Vlan20<br>
Dec 17 23:20:02.869 CST: %CRYPTO-4-RECVD_PKT_INV_SPI: decaps: rec'd IPSEC<br>
packet has invalid spi for destaddr=<redacted>, prot=50,<br>
spi=0x4CF4BE5D(1291107933), srcaddr=68.180.160.99, input interface=Vlan21<br>
Dec 18 00:15:19.536 CST: %CRYPTO-4-RECVD_PKT_INV_SPI: decaps: rec'd IPSEC<br>
packet has invalid spi for destaddr=<redacted>, prot=50,<br>
spi=0x4CF4BE5D(1291107933), srcaddr=203.84.212.53, input interface=Vlan21<br>
Dec 18 00:43:00.158 CST: %CRYPTO-4-RECVD_PKT_INV_SPI: decaps: rec'd IPSEC<br>
packet has invalid spi for destaddr=<redacted>, prot=50,<br>
spi=0x4CF4BE5D(1291107933), srcaddr=68.180.160.101, input interface=Vlan20<br>
Dec 18 00:44:52.018 CST: %CRYPTO-4-RECVD_PKT_INV_SPI: decaps: rec'd IPSEC<br>
packet has invalid spi for destaddr=<redacted>, prot=50,<br>
spi=0x4CF4BE5D(1291107933), srcaddr=68.180.160.100, input interface=Vlan21<br>
<br>
<br>
All the destination IP addresses are in one of two categories:<br>
- router interface<br>
- inactive IP (no ARP entry)<br>
<br>
Vlans 20 and 21 are the Vlans facing our two edge/border routers.<br>
<br>
If I do a PTR lookup of each source IP, they're all some kind of<br>
cryptographic server in Yahoo's network:<br>
<br>
203.84.212.18|18.212.84.203.in-addr.arpa domain name pointer<br>
<a href="http://lo301.cry1.sg3.yahoo.com" rel="noreferrer" target="_blank">lo301.cry1.sg3.yahoo.com</a>.<br>
203.84.212.24|24.212.84.203.in-addr.arpa domain name pointer<br>
<a href="http://lo303.cry2.sg3.yahoo.com" rel="noreferrer" target="_blank">lo303.cry2.sg3.yahoo.com</a>.<br>
203.84.212.36|36.212.84.203.in-addr.arpa domain name pointer<br>
<a href="http://lo303.cry1.tw1.yahoo.com" rel="noreferrer" target="_blank">lo303.cry1.tw1.yahoo.com</a>.<br>
203.84.212.53|53.212.84.203.in-addr.arpa domain name pointer<br>
<a href="http://lo300.cry2.tp2.yahoo.com" rel="noreferrer" target="_blank">lo300.cry2.tp2.yahoo.com</a>.<br>
68.180.160.100|100.160.180.68.in-addr.arpa domain name pointer<br>
<a href="http://lo303.cry1.md2.yahoo.com" rel="noreferrer" target="_blank">lo303.cry1.md2.yahoo.com</a>.<br>
68.180.160.101|101.160.180.68.in-addr.arpa domain name pointer<br>
<a href="http://lo300.cry2.md2.yahoo.com" rel="noreferrer" target="_blank">lo300.cry2.md2.yahoo.com</a>.<br>
68.180.160.103|103.160.180.68.in-addr.arpa domain name pointer<br>
<a href="http://lo302.cry2.md2.yahoo.com" rel="noreferrer" target="_blank">lo302.cry2.md2.yahoo.com</a>.<br>
68.180.160.104|104.160.180.68.in-addr.arpa domain name pointer<br>
<a href="http://lo303.cry2.md2.yahoo.com" rel="noreferrer" target="_blank">lo303.cry2.md2.yahoo.com</a>.<br>
68.180.160.18|18.160.180.68.in-addr.arpa domain name pointer<br>
<a href="http://lo301.cry1.ne1.yahoo.com" rel="noreferrer" target="_blank">lo301.cry1.ne1.yahoo.com</a>.<br>
68.180.160.34|34.160.180.68.in-addr.arpa domain name pointer<br>
<a href="http://lo301.cry1.bf1.yahoo.com" rel="noreferrer" target="_blank">lo301.cry1.bf1.yahoo.com</a>.<br>
68.180.160.36|36.160.180.68.in-addr.arpa domain name pointer<br>
<a href="http://lo303.cry1.bf1.yahoo.com" rel="noreferrer" target="_blank">lo303.cry1.bf1.yahoo.com</a>.<br>
68.180.160.37|37.160.180.68.in-addr.arpa domain name pointer<br>
<a href="http://lo300.cry2.bf1.yahoo.com" rel="noreferrer" target="_blank">lo300.cry2.bf1.yahoo.com</a>.<br>
68.180.160.99|99.160.180.68.in-addr.arpa domain name pointer<br>
<a href="http://lo302.cry1.md2.yahoo.com" rel="noreferrer" target="_blank">lo302.cry1.md2.yahoo.com</a>.<br>
<br>
Any idea what's going on here?  It's as if our 7600 is inspecting this<br>
traffic (presumably because it's not transit, it's being processed by the<br>
CPU) and seeing something special about it. Even if the router is not<br>
behaving correctly, why is Yahoo sending that kind of traffic to those IPs?<br>
<br>
Frank<br>
AS53347<br>
<br>
</blockquote></div>