Crypto isakmp invalid spi recovery

Stack Exchange network includes 178 Q&A groups inclusive of Stack Overflow, the biggest, most depended on on line network for developers to learn, percentage their knowledge, and build their careers.

Network Engineering Stack Exchange is a query and answer website online for community engineers. It simplest takes a minute to sign on.

Q&A for work

Connect and percentage expertise within a unmarried location that is based and smooth to go looking.

crypto isakmp invalid spi

I even have setup a lab to play with DMVPN and EIGRP. Everything works flawlessly exceptional till I test matters by using shutting down redundant ports. Once I try this the DMVPNs by no means get better even after restoring all ports. I get the mistake proven under from every “site” on each Hub every minute(price restrained to at least one minute iirc). I understand that that is due to the fact ipsec SAs are out of sync but I could suppose there could be a way for them to recover mechanically. What may be finished to synchronize those?

Enabling the invalid SPI restoration command only works with static crypto maps (and VTI) wherein the choices VPN peer is described. It does not paintings with dynamic crypto maps or mGRE with dynamic NHRP (DMVPN).

If the trouble persists, run ISAKMP and IPsec debug at each VPN peer and take a look at the router logs for specifics. Consider Cisco Embedded Event Manager (EEM) as nicely for troubleshooting.

Note as properly for routing troubles: there could be more than one instances of the choices equal error message for the same VPN waft. The convergence time as a result is affected by SA expire putting from the choices source. In addition the Dead Peer Detection may want to affect routing convergence and VPN connectivity.

What happens in case you manually clean the choices SPI from the choices CLI on the devices which might be experiencing the choices invalid SPI? Do the choices SAs get better robotically then?

Replace $spi with the choices SPI cost discovered from display crypto ipsec sa

My stoop is that the choices SAs are becoming out of sync but have prolonged default timers (isakmp is 24h by using default, ipsec sa is 8h by means of default) for this reason they may not clean until guide intervention is finished before those default timers expire.

Please post your complete config and additionally provide IPSec outputs display crypto sa, and so on.

If the choices IOS is just too old, bug CSCsq59183 incorrectly shows those messages.

It may additionally assist us that will help you in case you offer the DMVPN configuration (as a minimum, the Tunnel interface config) of HUB and at the least one SPOKE.

Your Answer

Thanks for contributing an answer to Network Engineering Stack Exchange!

To learn greater, see our recommendations on writing extremely good solutions.

Required, however by no means proven

Required, however in no way shown

By clicking “Post Your Answer”, you settle to our phrases of carrier, privacy coverage and cookie coverage

Not the answer you're searching out? Browse other questions tagged vpn ipsec or ask your very own query.

site layout / emblem © 2021 Stack Exchange Inc; consumer contributions certified beneath cc through-sa. rev 2021.10.8.40416

By clicking “Accept all cookies”, you compromise Stack Exchange can store cookies for your tool and disclose records according with our Cookie Policy.