[c-nsp] Trouble with %CRYPTO-4-RECVD_PKT_INV_SPI
Thorsten Ziegler
tziegler+cisco-nsp at imap.schlund.de
Wed Jul 20 11:39:48 EDT 2005
Hi,
i'm getting annoyed by lots of these errors messages:
Jul 20 11:37:01: %CRYPTO-4-RECVD_PKT_INV_SPI: decaps: rec'd IPSEC packet
has invalid spi for
destaddr=224.0.0.18, prot=51, spi=0xAC170406(-1407777786),
srcaddr=172.23.4.6
As you can see, the catalyst is receiving VRRP-Packets using
AH-Authentication - but as he is in now way involved with the machines
speaking VRRP, he has no Crypto-Map or similar setup.
Is there a way to avoid these messages? I was thinking about filtering
the Destination Address on the corresponding ingress-interfaces, but as
the Catalyst itself speaks VRRP, too (using another id) it is not
possible - and i don't want to start filtering any single host.
Maybe it is possible somekind of ignore for the Crypto-Implementation
(say, ignore all ah-Packets with destination 224.0.0.18)?
Suggestions?
Greetings,
Thorsten
--
Thorsten Ziegler
More information about the cisco-nsp
mailing list