This document describes the IPsec issue when Security Associations (SAs) become out of sync between the peer devices.
One of the most common IPsec issues is that SAs can become out of sync between the peer devices. As a result, the encryption endpoint encrypts traffic with an SA that its peer does not know about. These packets are dropped by the peer and this message appears in the syslog:
Sep 2 13:27:57.707: %CRYPTO-4-RECVD_PKT_INV_SPI: decaps: rec'd IPSEC packet has invalid spi for
destaddr=10.10.1.2, prot=50, spi=0xB761863E(3076621886), srcaddr=10.1.1.1
Router# show platform hardware qfp active statistics drop | inc Ipsec
IpsecDenyDrop 0 0
IpsecIkeIndicate 0 0
IpsecInput 0 0 <======
IpsecInvalidSa 0 0
IpsecOutput 0 0
IpsecTailDrop 0 0
IpsecTedIndicate 0 0
Router# show platform hardware qfp active feature ipsec datapath drops all | in SPI
4 IN_US_V4_PKT_SA_NOT_FOUND_SPI 64574 <======
7 IN_TRANS_V4_IPSEC_PKT_NOT_FOUND_SPI 0
12 IN_US_V6_PKT_SA_NOT_FOUND_SPI 0
It is important to note that this particular message is rate-limited in Cisco IOSĀ® at a rate of one per minute for the obvious security reasons. If this message for a particular flow (SRC, DST, or SPI) only appears once in the syslog, then it is likely a transient condition that is present at the same time as the IPsec rekey, where one peer can start to use the new SA while the peer device is not quite ready to use the same SA. This is normally not a problem, as it is only temporary and would only affect a few packets.
However, if the same message persists for the same flow and SPI number, then it is indicative the IPsec SAs have gone out of sync between the peers. For example:
Sep 2 13:36:47.287: %CRYPTO-4-RECVD_PKT_INV_SPI: decaps: rec'd IPSEC packet has invalid spi for
destaddr=10.10.1.2, prot=50, spi=0x1DB73BBB(498547643), srcaddr=10.1.1.1 Sep 2 13:37:48.039: %CRYPTO-4-RECVD_PKT_INV_SPI: decaps: rec'd IPSEC packet has invalid spi for
destaddr=10.10.1.2, prot=50, spi=0x1DB73BBB(498547643), srcaddr=10.1.1.1
This is an indication that traffic is black-holed and cannot recover until the SAs expire on the sending device or until the Dead Peer Detection (DPD) is activated.
This section provides information that you can use in order to resolve the issue that is described in the previous section.
In order to resolve this issue, Cisco recommends that you enable the invalid SPI recovery feature. For example, enter the crypto isakmp invalid-spi-recovery command. Here are some important notes that describe the use of this command:
| Crypto-configuration | Invalid SPI Recovery |
|---|---|
| Static crypto-map | Yes |
| Dynamic crypto-map | No |
| P2P GRE with Tunnel Protection | Yes |
| mGRE Tunnel Protection that uses w/ static NHRP mapping | Yes |
| mGRE Tunnel Protection that uses w/ dynamic NHRP mapping | No |
| sVTI | Yes |
| EzVPN client | N/A |
Many times the invalid SPI error message occurs intermittently. This makes it difficult to troubleshoot, as it becomes very hard to collect the relevant debugs. Embedded Event Manager (EEM) scripts can be very useful in this case.
Note: For more details, refer to the EEM Scripts used to Troubleshoot Tunnel Flaps Caused by Invalid Security Parameter Indexes Cisco document.
This list shows bugs that can either cause IPsec SAs to go out of sync or are related to Invalid SPI recovery:
| Revision | Publish Date | Comments |
|---|---|---|
4.0 |
14-Jul-2026
|
Spellcheck and fixed title. |
3.0 |
11-Aug-2023
|
Updated SEO, Style Requirements, Machine Translation, Branding Requirements and Formatting. |
2.0 |
15-Jul-2022
|
Updates made to style requirements, machine translation, gerunds, SEO, and title to comply with Cisco guidelines. |
1.0 |
11-Aug-2014
|
Initial Release |