[prev in list] [next in list] [prev in thread] [next in thread]
List: nanog
Subject: RE: IPSec SPI
From: "Naslund, Steve" <SNaslund () medline ! com>
Date: 2017-12-20 15:19:28
Message-ID: 9578293AE169674F9A048B2BC9A081B4027EA6251F () MUNPRDMBXA1 ! medline ! com
[Download RAW message or body]
It is definitely possible. The invalid SPI indicates that the device received a \
packet for which is does not have a valid SA. It is normal during a crypto rekey \
when the traffic was sent on an older or newer SA than the receiving device. It all \
depends how often it is happening. A couple a day would probably just be normal \
operation. If they are very often it could be a code bug or packet loss causing loss \
of crypto sync between devices. I would first ask how often and next ask if they \
have dead peer detection enabled. Not having dead peer detection can cause this \
condition to go on for much longer than necessary. Note that Cisco limits the \
messages to one per minute to avoid DoS attacks. Which brings up another point, are \
you sure that the traffic causing the messages is sourced from a peer they should \
actually be talking with? You would get the same message if I sent IPsec encrypted \
traffic to them and I am not configured as a peer.
If it was working and just now started happening it is probably packet loss or a bug. \
I would also suggest a reboot on the devices to make sure that this is not a low mem \
condition which also causes these once in a while on our devices.
Steven Naslund
Chicago IL
> -----Original Message-----
> From: NANOG [mailto:nanog-bounces@nanog.org] On Behalf Of Mike Hammett
> Sent: Tuesday, December 19, 2017 9:03 PM
> To: NANOG list
> Subject: IPSec SPI
>
> Is it possible for light packet loss (0.1% - 0.3%) to cause these errors:
>
> Dec 18 00:12:07.098: %CRYPTO-4-RECVD_PKT_INV_SPI: decaps: rec'd IPSEC packet has \
> invalid spi for destaddr=Z.Z.Z.Z, prot=50, spi=0x9E6D41B7(2657960375), \
> srcaddr=B.B.B.B, input interface=GigabitEthernet0/2 Dec 18 00:20:47.848: \
> %>CRYPTO-4-RECVD_PKT_INV_SPI: decaps: rec'd IPSEC packet has invalid spi for \
> destaddr= Z.Z.Z.Z , prot=50, spi=0x430A8C9C(1124764828), srcaddr=A.A.A.A, input \
> interface=GigabitEthernet0/2 Dec 18 00:28:39.781: %CRYPTO-4->RECVD_PKT_INV_SPI: \
> decaps: rec'd IPSEC packet has invalid spi for destaddr= Z.Z.Z.Z , prot=50, \
> spi=0x8716502A(2266386474), srcaddr=A.A.A.A, input interface=GigabitEthernet0/2
>
> I look it up and none of the pages I find say anything about connection quality and \
> everything about configuration and timing.
> My client is insisting that it can't possibly be their problem and that it's \
> entirely because of the packet loss.
> -----
> Mike Hammett
> Intelligent Computing Solutions
> http://www.ics-il.com
>
> Midwest-IX
> http://www.midwest-ix.com
[prev in list] [next in list] [prev in thread] [next in thread]
Configure |
About |
News |
Add a list |
Sponsored by KoreLogic