Re: IPSec SPI

[Mike Hammett <nanog () ics-il net>]

Note: I'm working on figuring out the cause of the packet loss regardless of their position. I would just like them to 
solve their problem if it isn't me. 




----- 
Mike Hammett 
Intelligent Computing Solutions 
http://www.ics-il.com 

Midwest-IX 
http://www.midwest-ix.com 

----- Original Message -----

From: "Mike Hammett" <nanog () ics-il net> 
To: "NANOG list" <nanog () nanog org> 
Sent: Tuesday, December 19, 2017 9:03:10 PM 
Subject: IPSec SPI 

Is it possible for light packet loss (0.1% - 0.3%) to cause these errors: 

Dec 18 00:12:07.098: %CRYPTO-4-RECVD_PKT_INV_SPI: decaps: rec'd IPSEC packet has invalid spi for destaddr=Z.Z.Z.Z, 
prot=50, spi=0x9E6D41B7(2657960375), srcaddr=B.B.B.B, input interface=GigabitEthernet0/2 
Dec 18 00:20:47.848: %CRYPTO-4-RECVD_PKT_INV_SPI: decaps: rec'd IPSEC packet has invalid spi for destaddr= Z.Z.Z.Z , 
prot=50, spi=0x430A8C9C(1124764828), srcaddr=A.A.A.A, input interface=GigabitEthernet0/2 
Dec 18 00:28:39.781: %CRYPTO-4-RECVD_PKT_INV_SPI: decaps: rec'd IPSEC packet has invalid spi for destaddr= Z.Z.Z.Z , 
prot=50, spi=0x8716502A(2266386474), srcaddr=A.A.A.A, input interface=GigabitEthernet0/2 


I look it up and none of the pages I find say anything about connection quality and everything about configuration and 
timing. 

My client is insisting that it can't possibly be their problem and that it's entirely because of the packet loss. 






----- 
Mike Hammett 
Intelligent Computing Solutions 
http://www.ics-il.com 

Midwest-IX 
http://www.midwest-ix.com