VPN issue

[SYSUSER2015]

have this message, Can ayone hepl me about below error:

: %CRYPTO-4-RECVD_PKT_INV_SPI: decaps: rec'd IPSEC packet has invalid spi for destaddr.

my VPN is up but sometimes this message appears

my current version:

Cisco IOS Software, C2900 Software (C2900-UNIVERSALK9-M), Version 15.3(3)M, RELEASE SOFTWARE (fc2)

I Follow the procedures in this document but the problem persists.

http://www.cisco.com/image/gif/paws/115801/115801-...

Any one has an idea?

 

[burtsbees]

The only thing I can say is that you have to ensure that all parameters on both sides match exactly. The tunnel will form and packets will be enc/decr on both sides, but SA timers may be different (for example), or even the crypto ACL ACEs may be in a different order, throwing off the P2 timers or something. It's not a big deal, as long as you're happy. It just means that the router or ASA is detecting something on the other end that doesn't match what he's got---this is usually SA timers.

-TIMMAY!

ip access-list extended IP-Options-and-Powerball
deny ip any any winning-powerball-ticket
permit ip any any option any-options
!
class-map ACL-Options-and-Powerball
match access-group name IP-Options-and-Powerball
!
policy-map CoPP-POLICY
class ACL-Options-and-Powerball
drop
!
control-plane
service-policy input CoPP-POLICY