The Security Parameter Index (SPI) is an identification tag added to the header while using IPsec for tunneling the IP traffic. This tag helps the kernel discern between two traffic streams where different encryption rules and algorithms may be in use.

But it could be problematic e.g. if two clients behind the same NAT allocate the same local SPI when they connect to the same VPN gateway. The combination of SPI and destination address would be the same on the public side of the NAT, which is why UDP encapsulation is required. The UDP ports allow the NAT to direct the inbound packets to the Re: "rec'd IPSEC packet has invalid spi" errors in VPN connections The meaning of the message is that one side of the IPSEC tunnel received a packet with an invalid SPI. The SPI (Security Parameter Index) is used to identify the SA (Security Association) of the packet - which contains the information needed to handle the encrypted traffic. ASA# SHOW ASP TABLE VPN-CONTEXT DETAIL | begin 922FAC VPN CTX = 0x00922FAC Peer IP = 10.10.15.0 Pointer = 0xD91404E8 State = UP Flags = ENCR+ESP SA = 0x1664DD33 SPI = 0xE5C56C30 Group = 47 Pkts = 362631 Bad Pkts = 0 Bad SPI = 0 Spoof = 0 Bad Crypto = 0 Rekey Pkt = 44 Rekey Call = 44 VPN Filter = Mar 19, 2019 · S2S IPSec tunnel established but traffic is not passing. Palo Alto packet capture shows that SPI did not matched for In and Out traffic. Tunnel health shows good and connected. It was here that we noticed that the SPI's in the sho crypto ipsec sa didn't match the SPI's coming from the central office. I tried clearing the crypto ipsec sa, but that didn't work so i rebooted the FW. When it came back up it started working again, and the SPI's matched. The problem is it happened again 15 hours later. SRX Series,vSRX. IPsec VPN Overview, IPsec VPN Topologies on SRX Series Devices, Comparison of Policy-Based VPNs and Route-Based VPNs, Understanding IKE and IPsec Packet Processing, Understanding Phase 1 of IKE Tunnel Negotiation, Understanding Phase 2 of IKE Tunnel Negotiation, Supported IPsec and IKE Standards, Understanding Distributed VPNs in SRX Series Services Gateways , Understanding Apr 26, 2018 · The crypto isakmp invalid-spi-recovery command attempts to address the condition where a router receives IPsec traffic with invalid SPI, and it does not have an IKE SA with that peer. In this case, it tries to establish a new IKE session with the peer and sends a DELETE notification over the newly created IKE SA.

What Is an SPI Firewall? | Techwalla

Feb 08, 2019 IPsec security associations - YouTube Sep 22, 2017

Jul 30, 2015 · In screenOS 5.4 and above, the embedded ICMP packet is inspected and verified if it was a packet sent from the firewall by-itself and drop it as packet for self without logging any BAD SPI event log message. 3. The new SPI might be used on one side of the VPN before it is fully installed on the other.

Aug 28, 2009 · Below shows you an example of clear a VPN`s SA`s, ns5gt-> get sa active Total active sa: 1 total configured sa: 1 HEX ID Gateway Port Algorithm SPI Life:sec kb Sta PID vsys 00000007< 10.1.1.25 500 esp:3des/md5 ef1d167f 3317 unlim A/- 22 0 00000007> 10.1.1.25 500 esp:3des/md5 fbcb64ee 3317 unlim A/- -1 0 Jul 2 14:00:40 VPN msg: not matched Jul 2 14:00:40 VPN msg: ISAKMP-SA established 82.35.46.78[4500]-174.45.35.220[4500] spi:b74e92b3b5360c16:ce602504804696a9 Possible causes and solutions: Invalid user credentials