IPsec Invalid SPI Errors and Invalid SPI Recovery
search cancel

IPsec Invalid SPI Errors and Invalid SPI Recovery

book

Article ID: 176396

calendar_today

Updated On:

Products

Cloud Secure Web Gateway - Cloud SWG

Issue/Introduction

Experiencing a perceived outage with Cloud WSG (formerly known as WSS) service.

%CRYPTO-4-RECVD_PKT_INV_SPI: decaps: rec'd IPSEC packet has invalid spi for destaddr=......

Environment

Cisco

IPSec

Cloud SWG

Cause

See Cisco documentation: 

https://www.cisco.com/c/en/us/support/docs/security-vpn/ipsec-negotiation-ike-protocols/115801-technote-iosvpn-00.html 

 

SA's are out of sync between devices.  Encrypted traffic with SA's that its peer does not know about.  Those packets are then dropped by the peer.  

 

 

Resolution

To verify this information a pcap will need to be done from the Symantec/Broadcom concentrator.  A case will need to be opened and escalated to NOC or Backline for support to do so.  

At the exact same time a PCAP will need to be run on the customers end while the issue is occuring.  

Powered by Wolken Software