The Security Parameter Index (SPI) is an identification tag added to the header while using IPsec for tunneling the IP traffic. This tag helps the kernel discern between two traffic streams where different encryption rules and algorithms may be in use.
But it could be problematic e.g. if two clients behind the same NAT allocate the same local SPI when they connect to the same VPN gateway. The combination of SPI and destination address would be the same on the public side of the NAT, which is why UDP encapsulation is required. The UDP ports allow the NAT to direct the inbound packets to the Re: "rec'd IPSEC packet has invalid spi" errors in VPN connections The meaning of the message is that one side of the IPSEC tunnel received a packet with an invalid SPI. The SPI (Security Parameter Index) is used to identify the SA (Security Association) of the packet - which contains the information needed to handle the encrypted traffic. ASA# SHOW ASP TABLE VPN-CONTEXT DETAIL | begin 922FAC VPN CTX = 0x00922FAC Peer IP = 10.10.15.0 Pointer = 0xD91404E8 State = UP Flags = ENCR+ESP SA = 0x1664DD33 SPI = 0xE5C56C30 Group = 47 Pkts = 362631 Bad Pkts = 0 Bad SPI = 0 Spoof = 0 Bad Crypto = 0 Rekey Pkt = 44 Rekey Call = 44 VPN Filter =
What Is an SPI Firewall? | Techwalla
Feb 08, 2019 IPsec security associations - YouTube Sep 22, 2017
Jul 30, 2015 · In screenOS 5.4 and above, the embedded ICMP packet is inspected and verified if it was a packet sent from the firewall by-itself and drop it as packet for self without logging any BAD SPI event log message. 3. The new SPI might be used on one side of the VPN before it is fully installed on the other.
Aug 28, 2009 · Below shows you an example of clear a VPN`s SA`s, ns5gt-> get sa active Total active sa: 1 total configured sa: 1 HEX ID Gateway Port Algorithm SPI Life:sec kb Sta PID vsys 00000007< 10.1.1.25 500 esp:3des/md5 ef1d167f 3317 unlim A/- 22 0 00000007> 10.1.1.25 500 esp:3des/md5 fbcb64ee 3317 unlim A/- -1 0 Jul 2 14:00:40 VPN msg: not matched Jul 2 14:00:40 VPN msg: ISAKMP-SA established 126.96.36.199-188.8.131.52 spi:b74e92b3b5360c16:ce602504804696a9 Possible causes and solutions: Invalid user credentials