Table Of Contents
Invalid Security Parameter Index Recovery
Prerequisites for Invalid Security Parameter Index Recovery
Restrictions for Invalid Security Parameter Index Recovery
Information About Invalid Security Parameter Index Recovery
How the Invalid Security Parameter Index Recovery Feature Works
How to Configure Invalid Security Parameter Index Recovery
Configuring Invalid Security Parameter Index Recovery
Verifying an Invalid Security Parameter Index Recovery Configuration
Configuration Examples for Invalid Security Parameter Index Recovery
Invalid Security Parameter Index Recovery: Example
crypto isakmp invalid-spi-recovery
Feature Information for Invalid Security Parameter Index Recovery
Invalid Security Parameter Index Recovery
When an invalid security parameter index error (shown as "Invalid SPI") occurs in IP Security (IPSec) packet processing, the Invalid Security Parameter Index Recovery feature allows for an Internet Key Exchange (IKE) security association (SA) to be established. The "IKE" module sends notification of the "Invalid SPI" error to the originating IPSec peer so that Security Association Databases (SADBs) can be resynchronized and successful packet processing can be resumed.
Finding Feature Information in This Module
Your Cisco IOS software release may not support all of the features documented in this module. To reach links to specific feature documentation in this module and to see a list of the releases in which each feature is supported, use the "Feature Information for Invalid Security Parameter Index Recovery" section.
Finding Support Information for Platforms and Cisco IOS and Catalyst OS Software Images
Use Cisco Feature Navigator to find information about platform support and Cisco IOS and Catalyst OS software image support. To access Cisco Feature Navigator, go to http://www.cisco.com/go/cfn. An account on Cisco.com is not required.
Contents
•
Prerequisites for Invalid Security Parameter Index Recovery
•
•
•
•
•
Prerequisites for Invalid Security Parameter Index Recovery
Before configuring the Invalid Security Parameter Index Recovery feature, you must have enabled Internet Key Exchange (IKE) and IPSec on your router.
Restrictions for Invalid Security Parameter Index Recovery
If an IKE SA is being initiated to notify an IPSec peer of an "Invalid SPI" error, there is the risk that a denial-of-service (DoS) attack can occur. The Invalid Security Parameter Index Recovery feature has a built-in mechanism to minimize such a risk, but because there is a risk, the Invalid Security Parameter Index Recovery feature is not enabled by default. You must enable the command using command-line interface (CLI).
Information About Invalid Security Parameter Index Recovery
To use the Invalid Security Parameter Index Recovery feature, you should understand the following concept.
•
How the Invalid Security Parameter Index Recovery Feature Works
An IPSec "black hole" occurs when one IPSec peer "dies" (for example, a peer can "die" if a reboot occurs or if an IPSec peer somehow gets reset). Because one of the peers (the receiving peer) is completely reset, it loses its IKE SA with the other peer. Generally, when an IPSec peer receives a packet for which it cannot find an SA, it tries to send an IKE "INVALID SPI NOTIFY" message to the data originator. This notification is sent using the IKE SA. If there is no IKE SA available, the receiving peer drops the packet.
Note
When an invalid security parameter index (SPI) is encountered, the Invalid Security Parameter Index feature provides for the setting up of an IKE SA with the originator of the data, and the IKE "INVALID SPI NOTIFY" message is sent. The peer that originated the data "sees" the "INVALID SPI NOTIFY" message and deletes the IPSec SA that has the invalid SPI. If there is further traffic from the originating peer, there will not be any IPSec SAs, and new SAs will be set up. Traffic will flow again. The default behavior (that is, without configuring the Invalid Security Parameter Index Recovery feature) is that the data packet that caused the invalid SPI error is dropped. The originating peer keeps on sending the data using the IPSec SA that has the invalid SPI, and the receiving peer keeps dropping the traffic (thus creating the "black hole").
The IPSec module uses the IKE module to send an IKE "INVALID SPI NOTIFY" message to the other peer. Once the invalid SPI recovery is in place, there should not be any significant dropping of packets although the IPSec SA setup can itself result in the dropping of a few packets.
To configure your router for the Invalid Security Parameter Index Recovery feature, use the crypto isakmp invalid-spi-recovery command. The IKE SA will not be initiated unless you have configured this command.
How to Configure Invalid Security Parameter Index Recovery
This section contains the following procedure.
•
Configuring Invalid Security Parameter Index Recovery
To configure the Invalid Security Parameter Index Recovery feature, perform the following steps.
SUMMARY STEPS
1.
2.
3.
DETAILED STEPS
Verifying an Invalid Security Parameter Index Recovery Configuration
To determine the status of the IPSec SA for traffic between two peers, you can use the show crypto ipsec sa command. If the IPSec SA is available on one peer and not on the other, there is a "black hole" situation, in which case you will see the invalid SPI errors being logged for the receiving peer. If you turn console logging on or check the syslog server, you will see that these errors are also being logged.
Figure 1 shows the topology of a typical preshared configuration setup. Host 1 is the initiating peer (initiator), and Host 2 is the receiving peer (responder).
Figure 1 Preshared Configuration Topology
SUMMARY STEPS
To verify the preshared configuration, perform the following steps.
1.
2.
3.
4.
DETAILED STEPS
Step 1
Router A
Router# show crypto isakmp saf_vrf/i_vrf dst src state conn-id slot/ 10.2.2.2 10.1.1.1 QM_IDLE 1 0Router B
Router# show crypto isakmp saf_vrf/i_vrf dst src state conn-id slot/ 10.1.1.1 10.2.2.2 QM_IDLE 1 0Router A
Router# show crypto ipsec sa interface fastethernet0/0interface: FastEthernet0/0Crypto map tag: testtag1, local addr. 10.1.1.1protected vrf:local ident (addr/mask/prot/port): (10.0.0.1/255.255.255.255/0/0)remote ident (addr/mask/prot/port): (10.0.2.2/255.255.255.255/0/0)current_peer: 10.2.2.2:500PERMIT, flags={origin_is_acl,}#pkts encaps: 10, #pkts encrypt: 10, #pkts digest: 10#pkts decaps: 10, #pkts decrypt: 10, #pkts verify: 10#pkts compressed: 0, #pkts decompressed: 0#pkts not compressed: 0, #pkts compr. failed: 0#pkts not decompressed: 0, #pkts decompress failed: 0#send errors 0, #recv errors 0local crypto endpt.: 10.1.1.1, remote crypto endpt.: 10.2.2.2path mtu 1500, media mtu 1500current outbound spi: 7AA69CB7inbound esp sas:spi: 0x249C5062(614223970)transform: esp-des esp-sha-hmac ,in use settings ={Tunnel, }slot: 0, conn id: 5123, flow_id: 1, crypto map: testtag1crypto engine type: Hardwaresa timing: remaining key lifetime (k/sec): (4537831/3595)IV size: 8 bytesreplay detection support: Yinbound ah sas:spi: 0xB16D1587(2976716167)transform: ah-sha-hmac ,in use settings ={Tunnel, }slot: 0, conn id: 5121, flow_id: 1, crypto map: testtag1crypto engine type: Hardwaresa timing: remaining key lifetime (k/sec): (4537831/3595)replay detection support: Yinbound pcp sas:outbound esp sas:spi: 0x7AA69CB7(2057739447)transform: esp-des esp-sha-hmac ,in use settings ={Tunnel, }slot: 0, conn id: 5124, flow_id: 2, crypto map: testtag1crypto engine type: Hardwaresa timing: remaining key lifetime (k/sec): (4537835/3595)IV size: 8 bytesreplay detection support: Youtbound ah sas:spi: 0x1214F0D(18960141)transform: ah-sha-hmac ,in use settings ={Tunnel, }slot: 0, conn id: 5122, flow_id: 2, crypto map: testtag1crypto engine type: Hardwaresa timing: remaining key lifetime (k/sec): (4537835/3594)replay detection support: Youtbound pcp sas:Router B
Router# show crypto ipsec sa interface ethernet1/0interface: Ethernet1/0Crypto map tag: testtag1, local addr. 10.2.2.2protected vrf:local ident (addr/mask/prot/port): (10.0.2.2/255.255.255.255/0/0)remote ident (addr/mask/prot/port): (10.0.0.1/255.255.255.255/0/0)current_peer: 10.1.1.1:500PERMIT, flags={origin_is_acl,}#pkts encaps: 10, #pkts encrypt: 10, #pkts digest: 10#pkts decaps: 10, #pkts decrypt: 10, #pkts verify: 10#pkts compressed: 0, #pkts decompressed: 0#pkts not compressed: 0, #pkts compr. failed: 0#pkts not decompressed: 0, #pkts decompress failed: 0#send errors 0, #recv errors 0local crypto endpt.: 10.2.2.2, remote crypto endpt.: 10.1.1.1path mtu 1500, media mtu 1500current outbound spi: 249C5062inbound esp sas:spi: 0x7AA69CB7(2057739447)transform: esp-des esp-sha-hmac ,in use settings ={Tunnel, }slot: 0, conn id: 5123, flow_id: 1, crypto map: testtag1crypto engine type: Hardwaresa timing: remaining key lifetime (k/sec): (4421281/3593)IV size: 8 bytesreplay detection support: Yinbound ah sas:spi: 0x1214F0D(18960141)transform: ah-sha-hmac ,in use settings ={Tunnel, }slot: 0, conn id: 5121, flow_id: 1, crypto map: testtag1crypto engine type: Hardwaresa timing: remaining key lifetime (k/sec): (4421281/3593)replay detection support: Yinbound pcp sas:outbound esp sas:spi: 0x249C5062(614223970)transform: esp-des esp-sha-hmac ,in use settings ={Tunnel, }slot: 0, conn id: 5124, flow_id: 2, crypto map: testtag1crypto engine type: Hardwaresa timing: remaining key lifetime (k/sec): (4421285/3593)IV size: 8 bytesreplay detection support: Youtbound ah sas:spi: 0xB16D1587(2976716167)transform: ah-sha-hmac ,in use settings ={Tunnel, }slot: 0, conn id: 5122, flow_id: 2, crypto map: testtag1crypto engine type: Hardwaresa timing: remaining key lifetime (k/sec): (4421285/3592)replay detection support: Youtbound pcp sas:Step 2
Router# clear crypto isakmpRouter# clear crypto saRouter# show crypto isakmp saf_vrf/i_vrf dst src state conn-id slot/ 10.2.2.2. 10.1.1.1 MM_NO_STATE 1 0 (deleted)Router# show crypto ipsec sainterface: Ethernet1/0Crypto map tag: testtag1, local addr. 10.2.2.2protected vrf:local ident (addr/mask/prot/port): (10.0.2.2/255.255.255.255/0/0)remote ident (addr/mask/prot/port): (10.0.0.1/255.255.255.255/0/0)current_peer: 10.1.1.1:500PERMIT, flags={origin_is_acl,}#pkts encaps: 0, #pkts encrypt: 0, #pkts digest: 0#pkts decaps: 0, #pkts decrypt: 0, #pkts verify: 0#pkts compressed: 0, #pkts decompressed: 0#pkts not compressed: 0, #pkts compr. failed: 0#pkts not decompressed: 0, #pkts decompress failed: 0#send errors 0, #recv errors 0local crypto endpt.: 10.2.2.2, remote crypto endpt.: 10.1.1.1path mtu 1500, media mtu 1500current outbound spi: 0inbound esp sas:inbound ah sas:inbound pcp sas:outbound esp sas:outbound ah sas:outbound pcp sas:Step 3
pingProtocol [ip]: ipTarget IP address: 10.0.2.2Repeat count [5]: 30Datagram size [100]: 100Timeout in seconds [2]:Extended commands [n]: noSweep range of sizes [n]: nType escape sequence to abort.Sending 30, 100-byte ICMP Echos to 10.0.2.2, timeout is 2 seconds:..!!!!!!!!!!!!!!!!!!!!!!!!!!!!Success rate is 93 percent (28/30), round-trip min/avg/max = 1/3/8 msRouterB# show crypto isakmp saf_vrf/i_vrf dst src state conn-id slot/ 10.1.1.1 10.2.2.2 QM_IDLE 3 0/ 10.1.1.1 10.2.2.2 MM_NO_STATE 1 0 (deleted)RouterB# show crypto ipsec sainterface: Ethernet1/0Crypto map tag: testtag1, local addr. 10.2.2.2protected vrf:local ident (addr/mask/prot/port): (10.0.2.2/255.255.255.255/0/0)remote ident (addr/mask/prot/port): (10.0.0.1/255.255.255.255/0/0)current_peer: 10.1.1.1:500PERMIT, flags={origin_is_acl,}#pkts encaps: 28, #pkts encrypt: 28, #pkts digest: 28#pkts decaps: 28, #pkts decrypt: 28, #pkts verify: 28#pkts compressed: 0, #pkts decompressed: 0#pkts not compressed: 0, #pkts compr. failed: 0#pkts not decompressed: 0, #pkts decompress failed: 0#send errors 0, #recv errors 0local crypto endpt.: 10.2.2.2, remote crypto endpt.: 10.1.1.1path mtu 1500, media mtu 1500current outbound spi: D763771Finbound esp sas:spi: 0xE7AB4256(3886760534)transform: esp-des esp-sha-hmac ,in use settings ={Tunnel, }slot: 0, conn id: 5127, flow_id: 3, crypto map: testtag1crypto engine type: Hardwaresa timing: remaining key lifetime (k/sec): (4502463/3596)IV size: 8 bytesreplay detection support: Yinbound ah sas:spi: 0xF9205CED(4179647725)transform: ah-sha-hmac ,in use settings ={Tunnel, }slot: 0, conn id: 5125, flow_id: 3, crypto map: testtag1crypto engine type: Hardwaresa timing: remaining key lifetime (k/sec): (4502463/3596)replay detection support: Yinbound pcp sas:outbound esp sas:spi: 0xD763771F(3613619999)transform: esp-des esp-sha-hmac ,in use settings ={Tunnel, }slot: 0, conn id: 5128, flow_id: 4, crypto map: testtag1crypto engine type: Hardwaresa timing: remaining key lifetime (k/sec): (4502468/3596)IV size: 8 bytesreplay detection support: Youtbound ah sas:spi: 0xEB95406F(3952427119)transform: ah-sha-hmac ,in use settings ={Tunnel, }slot: 0, conn id: 5126, flow_id: 4, crypto map: testtag1crypto engine type: Hardwaresa timing: remaining key lifetime (k/sec): (4502468/3595)replay detection support: Youtbound pcp sas:RouterA# show crypto isakmp saf_vrf/i_vrf dst src state conn-id slot/ 10.2.2.2 10.1.1.1 MM_NO_STATE 1 0 (deleted)/ 10.2.2.2 10.1.1.1 QM_IDLE 2 0Check for an invalid SPI message on Router BRouter# show loggingSyslog logging: enabled (10 messages dropped, 13 messages rate-limited, 0 flushes, 0 overruns, xml disabled)Console logging: disabledMonitor logging: level debugging, 0 messages logged, xml disabledBuffer logging: level debugging, 43 messages logged, xml disabledLogging Exception size (8192 bytes)Count and timestamp logging messages: disabledTrap logging: level informational, 72 message lines loggedLog Buffer (8000 bytes):*Mar 24 20:55:45.739: %CRYPTO-4-RECVD_PKT_INV_SPI: decaps: rec'd IPSEC packet has invalid spi fordestaddr=10.2.2.2, prot=51, spi=0x1214F0D(18960141), srcaddr=10.1.1.1*Mar 24 20:55:47.743: IPSEC(validate_proposal_request): proposal part #1,(key eng. msg.) INBOUND local= 10.2.2.2, remote= 10.1.1.1,local_proxy= 10.0.2.2/255.255.255.255/0/0 (type=1),remote_proxy= 10.0.0.1/255.255.255.255/0/0 (type=1),protocol= AH, transform= ah-sha-hmac ,lifedur= 0s and 0kb,spi= 0x0(0), conn_id= 0, keysize= 0, flags= 0x2*Mar 24 20:55:47.743: IPSEC(validate_proposal_request): proposal part #2,(key eng. msg.) INBOUND local= 10.2.2.2, remote= 10.1.1.1,local_proxy= 10.0.2.2/255.255.255.255/0/0 (type=1),remote_proxy= 10.0.0.1/255.255.255.255/0/0 (type=1),protocol= ESP, transform= esp-des esp-sha-hmac ,lifedur= 0s and 0kb,spi= 0x0(0), conn_id= 0, keysize= 0, flags= 0x2*Mar 24 20:55:47.743: IPSEC(kei_proxy): head = testtag1, map->ivrf = , kei->ivrf =*Mar 24 20:55:47.743: IPSEC(key_engine): got a queue event with 2 kei messages*Mar 24 20:55:47.743: IPSEC(spi_response): getting spi 4179647725 for SAfrom 10.2.2.2 to 10.1.1.1 for prot 2*Mar 24 20:55:47.747: IPSEC(spi_response): getting spi 3886760534 for SAfrom 10.2.2.2 to 10.1.1.1 for prot 3*Mar 24 20:55:48.071: IPSec: Flow_switching Allocated flow for flow_id 939524099*Mar 24 20:55:48.071: IPSec: Flow_switching Allocated flow for flow_id 939524100*Mar 24 20:55:48.135: IPSEC(key_engine): got a queue event with 4 kei messages*Mar 24 20:55:48.135: IPSEC(initialize_sas): ,(key eng. msg.) INBOUND local= 10.2.2.2, remote= 10.1.1.1,local_proxy= 10.0.2.2/0.0.0.0/0/0 (type=1),remote_proxy= 10.0.0.1/0.0.0.0/0/0 (type=1),protocol= AH, transform= ah-sha-hmac ,lifedur= 3600s and 4608000kb,spi= 0xF9205CED(4179647725), conn_id= 939529221, keysize= 0, flags= 0x2*Mar 24 20:55:48.135: IPSEC(initialize_sas): ,(key eng. msg.) OUTBOUND local= 10.2.2.2, remote= 10.1.1.1,local_proxy= 10.0.2.2/0.0.0.0/0/0 (type=1),remote_proxy= 10.0.0.1/0.0.0.0/0/0 (type=1),protocol= AH, transform= ah-sha-hmac ,lifedur= 3600s and 4608000kb,spi= 0xEB95406F(3952427119), conn_id= 939529222, keysize= 0, flags= 0xA*Mar 24 20:55:48.135: IPSEC(initialize_sas): ,(key eng. msg.) INBOUND local= 10.2.2.2, remote= 10.1.1.1,local_proxy= 10.0.2.2/0.0.0.0/0/0 (type=1),remote_proxy= 10.0.0.1/0.0.0.0/0/0 (type=1),protocol= ESP, transform= esp-des esp-sha-hmac ,lifedur= 3600s and 4608000kb,spi= 0xE7AB4256(3886760534), conn_id= 939529223, keysize= 0, flags= 0x2*Mar 24 20:55:48.135: IPSEC(initialize_sas): ,(key eng. msg.) OUTBOUND local= 10.2.2.2, remote= 10.1.1.1,local_proxy= 10.0.2.2/0.0.0.0/0/0 (type=1),remote_proxy= 10.0.0.1/0.0.0.0/0/0 (type=1),protocol= ESP, transform= esp-des esp-sha-hmac ,lifedur= 3600s and 4608000kb,spi= 0xD763771F(3613619999), conn_id= 939529224, keysize= 0, flags= 0xA*Mar 24 20:55:48.139: IPSEC(kei_proxy): head = testtag1, map->ivrf = , kei->ivrf =*Mar 24 20:55:48.139: IPSEC(mtree_add_ident): src 10.2.2.2, dest 10.1.1.1, dest_port 0*Mar 24 20:55:48.139: IPSEC(create_sa): sa created,(sa) sa_dest= 10.1.1.1, sa_prot= 51,sa_spi= 0xF9205CED(4179647725),sa_trans= ah-sha-hmac , sa_conn_id= 939529221*Mar 24 20:55:48.139: IPSEC(create_sa): sa created,(sa) sa_dest= 10.2.2.2, sa_prot= 51,sa_spi= 0xEB95406F(3952427119),sa_trans= ah-sha-hmac , sa_conn_id= 939529222*Mar 24 20:55:48.139: IPSEC(create_sa): sa created,(sa) sa_dest= 10.1.1.1, sa_prot= 50,sa_spi= 0xE7AB4256(3886760534),sa_trans= esp-des esp-sha-hmac , sa_conn_id= 939529223*Mar 24 20:55:48.139: IPSEC(create_sa): sa created,(sa) sa_dest= 10.2.2.2, sa_prot= 50,sa_spi= 0xD763771F(3613619999),sa_trans= esp-des esp-sha-hmac , sa_conn_id= 939529224ipseca-72a#Configuration Examples for Invalid Security Parameter Index Recovery
This section provides the following configuration example.
•
Invalid Security Parameter Index Recovery: Example
The following example shows that invalid security parameter index recovery has been configured on Router A and Router B. Figure 1 shows the topology used for this example.
Router A
Router# show running-configBuilding configuration...Current configuration : 2048 bytes!version 12.3no service padservice timestamps debug datetime msec localtimeservice timestamps log datetime msec localtimeno service password-encryptionservice tcp-small-servers!hostname ipseca-71a!logging queue-limit 100no logging consoleenable secret 5 $1$4GZB$L2YOmnenOCNAu0jgFxebT/enable password lab!clock timezone PST -8clock summer-time PDT recurringip subnet-zero!!no ip domain lookup!ip cefip audit notify logip audit po max-events 100mpls ldp logging neighbor-changesno ftp-server write-enable!!no voice hpi capture bufferno voice hpi capture destination!!crypto isakmp policy 1authentication pre-sharelifetime 180crypto isakmp key 0 1234 address 10.2.2.2crypto isakmp invalid-spi-recovery!!crypto ipsec transform-set auth2 ah-sha-hmac esp-des esp-sha-hmac!crypto map testtag1 10 ipsec-isakmpset peer 10.2.2.2set transform-set auth2match address 150!!controller ISA 5/1!!interface FastEthernet0/0ip address 10.1.1.1 255.0.0.0no ip route-cache cefduplex fullspeed 100crypto map testtag1!interface FastEthernet0/1ip address 10.0.0.1 255.0.0.0no ip route-cache cefduplex autospeed auto!interface Serial1/0no ip addressno ip route-cacheno ip mroute-cacheshutdownserial restart_delay 0clockrate 128000!interface Serial1/1no ip addressno ip route-cacheno ip mroute-cacheshutdownserial restart_delay 0clockrate 128000!interface Serial1/2no ip addressno ip route-cacheno ip mroute-cacheshutdownserial restart_delay 0!interface Serial1/3no ip addressno ip route-cacheno ip mroute-cacheshutdownno keepaliveserial restart_delay 0clockrate 128000!ip classlessip route 10.3.3.3 255.0.0.0 10.2.0.1no ip http serverno ip http secure-server!!access-list 150 permit ip host 10.0.0.1 host 10.0.2.2dialer-list 1 protocol ip permitdialer-list 1 protocol ipx permit!!call rsvp-sync!!mgcp profile default!!line con 0exec-timeout 0 0line aux 0line vty 0 4password lablogin!!endipseca-71a#Router B
Router# show running-configBuilding configuration...Current configuration : 2849 bytes!version 12.3no service padservice timestamps debug datetime msec localtimeservice timestamps log datetime msec localtimeno service password-encryptionservice udp-small-serversservice tcp-small-servers!hostname ipseca-72a!logging queue-limit 100no logging consoleenable secret 5 $1$kKqL$5Th5Qhw1ubDkkK90KWFxi1enable password lab!clock timezone PST -8clock summer-time PDT recurringip subnet-zero!!no ip domain lookup!ip cefip audit notify logip audit po max-events 100mpls ldp logging neighbor-changesno ftp-server write-enable!!no voice hpi capture bufferno voice hpi capture destination!!mta receive maximum-recipients 0!!crypto isakmp policy 1authentication pre-sharelifetime 180crypto isakmp key 0 1234 address 10.1.1.1crypto isakmp invalid-spi-recovery!!crypto ipsec transform-set auth2 ah-sha-hmac esp-des esp-sha-hmac!crypto map testtag1 10 ipsec-isakmpset peer 10.1.1.1set transform-set auth2match address 150!!controller ISA 5/1!!interface FastEthernet0/0no ip addressno ip route-cacheno ip mroute-cacheshutdownduplex half!interface Ethernet1/0ip address 10.2.2.2 255.0.0.0no ip route-cache cefduplex halfcrypto map testtag1!interface Ethernet1/1ip address 10.0.2.2 255.0.0.0no ip route-cache cefduplex half!interface Ethernet1/2no ip addressno ip route-cacheno ip mroute-cacheshutdownduplex half!interface Ethernet1/3no ip addressno ip route-cacheno ip mroute-cacheshutdownduplex half!interface Ethernet1/4no ip addressno ip route-cacheno ip mroute-cacheshutdownduplex half!interface Ethernet1/5no ip addressno ip route-cacheno ip mroute-cacheshutdownduplex half!interface Ethernet1/6no ip addressno ip route-cacheno ip mroute-cacheshutdownduplex half!interface Ethernet1/7no ip addressno ip route-cacheno ip mroute-cacheshutdownduplex half!interface Serial3/0no ip addressno ip route-cacheno ip mroute-cacheshutdownserial restart_delay 0!interface Serial3/1no ip addressno ip route-cacheno ip mroute-cacheshutdownserial restart_delay 0clockrate 128000!interface Serial3/2no ip addressno ip route-cacheno ip mroute-cacheshutdownserial restart_delay 0!interface Serial3/3no ip addressno ip route-cacheno ip mroute-cacheshutdownno keepaliveserial restart_delay 0clockrate 128000!ip classlessip route 10.0.0.0 255.0.0.0 10.2.0.1no ip http serverno ip http secure-server!!access-list 150 permit ip host 10.0.2.2 host 10.0.0.1dialer-list 1 protocol ip permitdialer-list 1 protocol ipx permit!!call rsvp-sync!!mgcp profile default!dial-peer cor custom!!gatekeepershutdown!!line con 0exec-timeout 0 0stopbits 1line aux 0stopbits 1line vty 0 4password lablogin!!endAdditional References
The following sections provide references related to Invalid Security Parameter Index Recovery.
Related Documents
Configuring IKE
"Configuring Internet Key Exchange Security Protocol" section of the Cisco IOS Security Configuration Guide
Configuring IPSec
"Part 4: IP Security and Encryption" of the Cisco IOS Security Configuration Guide
Interface commands
The Cisco IOS Interface and Hardware Component Command Reference, Release 12.3
Standards
MIBs
This feature has no new or modified MIBs.
To locate and download MIBs for selected platforms, Cisco IOS releases, and feature sets, use Cisco MIB Locator found at the following URL:
RFCs
Technical Assistance
Command Reference
This section documents the crypto isakmp invalid-spi-recovery command. All other commands used with this feature are documented in the Cisco IOS Release 12.3 command reference publications.
crypto isakmp invalid-spi-recovery
To initiate the Internet Key Exchange (IKE) security association (SA) to notify the receiving IP Security (IPSec) peer that there is an "Invalid SPI" error, use the crypto isakmp invalid-spi-recovery command in global configuration mode. To disable the notification process, use the no form of this command.
crypto isakmp invalid-spi-recovery
no crypto isakmp invalid-spi-recovery
Syntax Description
This command has no arguments or keywords.
Defaults
The IKE notification process is not enabled.
Command Modes
Global configuration
Command History
12.3(2)T
This command was introduced.
12.2(18)SXE
This command was integrated into Cisco IOS Release 12.2(18)SXE.
Usage Guidelines
This command allows you to configure your router so that when an invalid security parameter index error (shown as "Invalid SPI") occurs, an IKE SA is initiated. The "IKE" module, which serves as a checkpoint in the IPSec session, recognizes the "Invalid SPI" situation. The IKE module then sends an "Invalid Error" message to the packet-receiving peer so that synchronization of the security association databases (SADBs) of the two peers can be attempted. As soon as the SADBs are resynchronized, packets are no longer dropped.
Note
Caution
Examples
The following example shows that the IKE module process has been initiated to notify the receiving peer that there is an "Invalid SPI" error:
Router (config)# crypto isakmp invalid-spi-recoveryFeature Information for Invalid Security Parameter Index Recovery
Table 1 lists the release history for this feature.
Not all commands may be available in your Cisco IOS software release. For release information about a specific command, see the command reference documentation.
Use Cisco Feature Navigator to find information about platform support and software image support. Cisco Feature Navigator enables you to determine which Cisco IOS and Catalyst OS software images support a specific software release, feature set, or platform. To access Cisco Feature Navigator, go to http://www.cisco.com/go/cfn. An account on Cisco.com is not required.
Note
Any Internet Protocol (IP) addresses used in this document are not intended to be actual addresses. Any examples, command display output, and figures included in the document are shown for illustrative purposes only. Any use of actual IP addresses in illustrative content is unintentional and coincidental.
© 2007 Cisco Systems, Inc. All rights reserved.
