[c-nsp] 7600 SPA-IPSEC-2G unable to pass traffic

Dan Benson dbenson at swingpad.com
Mon Jan 13 14:09:53 EST 2014 

List, 

I am still trying to pass traffic between two 7600s on the public internet using installed SPA-IPSEC-2G blades without success (running s72033-advipservicesk9_wan-mz.122-33.SXI9)

I have tried, tunnel protect, crypto-connect and vrf type of configurations, none successful. 

My deployment has a L3 vlan on the public internet which supports local NAT translations.  This interface should be used as the source on each system to communicate with the opposite system. Configs below giving me the following error when I try and pass traffic: 

%CRYPTO-4-RECVD_PKT_INV_SPI: decaps: rec'd IPSEC packet has invalid spi for
	destaddr="localpublic", prot=50, spi=0xB54C2EB1(3041668785), srcaddr= "remotepiblic"


A side: #sho cry isakmp sa
IPv4 Crypto ISAKMP SA
dst             src             state          conn-id slot status
"localpublic"   "remotepiblic"   QM_IDLE          68032 ACTIVE

A side: #sho cry session
Crypto session current status

Interface: Vlan2
Session status: UP-ACTIVE
Peer:  "remotepiblic" port 500
  IKE SA: local "localpublic"/500 remote  "remotepiblic"/500 Active
  IPSEC FLOW: permit ip host "localpublic" host "remotepiblic"/
        Active SAs: 0, origin: crypto map


A Side: #sho cry ips sa active

No SAs found



===========

A Side: 

crypto engine mode vrf

access-list 101 permit ip host "localpublic" host "remotepiblic"

crypto keyring GIP
  pre-shared-key address "remotepiblic" key "key"
!
crypto isakmp policy 1
 encr 3des
 hash md5
 authentication pre-share
 group 2
crypto isakmp invalid-spi-recovery
crypto isakmp keepalive 10 3 periodic
crypto isakmp profile GLOBALIP
   vrf gip
   keyring GIP
   match identity address "remotepiblic" 255.255.255.255
!
!
crypto ipsec transform-set GLOBALIP esp-3des esp-sha-hmac
!
crypto map IPSEC local-address Vlan2
crypto map IPSEC 10 ipsec-isakmp
 set peer "remotepiblic"
 set transform-set GLOBALIP
 set pfs group2
 set isakmp-profile GLOBALIP
 match address 101



interface Vlan2
 ip address  "localpublic" 255.255.255.240
 ip nat outside
 ip flow ingress
 crypto engine outside

interface Vlan777
 ip vrf forwarding gip
 ip address 192.168.255.142 255.255.255.252
 crypto map IPSEC
 crypto engine slot 4/0 inside

==========
B Side:


crypto engine mode vrf

access-list 101 permit ip host "localpublic" host "remotepiblic"

crypto keyring GIP
  pre-shared-key address "remotepiblic" key "key"
!
crypto isakmp policy 1
 encr 3des
 hash md5
 authentication pre-share
 group 2
crypto isakmp invalid-spi-recovery
crypto isakmp keepalive 10 3 periodic
crypto isakmp profile GLOBALIP
   vrf gip
   keyring GIP
   match identity address "remotepiblic" 255.255.255.255
!
!
crypto ipsec transform-set GLOBALIP esp-3des esp-sha-hmac
!
crypto map IPSEC local-address Vlan2
crypto map IPSEC 10 ipsec-isakmp
 set peer "remotepiblic"
 set transform-set GLOBALIP
 set pfs group2
 set isakmp-profile GLOBALIP
 match address 101



interface Vlan2
 ip address  "localpublic" 255.255.255.240
 ip nat outside
 ip flow ingress
 crypto engine outside

interface Vlan777
 ip vrf forwarding gip
 ip address 192.168.255.141 255.255.255.252
 crypto map IPSEC
 crypto engine slot 4/0 inside



ANY suggestions here would be a huge help as I am completely stuck at this time. 

Thanks!!

db

More information about the cisco-nsp mailing list