«

Hi there,

i am building a VPN between several 836 Routers and a central PIX 515.
The connection is built up above a ADSL Connection wich seems quite stable.
Whereas the connection mostly works smoothly without loosing a single ping,
the Tunnel sometimes get disrupted. When this happens, I see this message in
the syslog on the PIX:

rec'd IPSEC packet has invalid spi for destaddr=[outsideIP]

I found an article on the CISCO website that describes a feature named
Invalid Security Parameter Index Recovery

Unfortunately, the IOS Version in use on the 836 does not already have that
feature. And the feature also seems not to exist on the PIX.

I use Preshared Keys with 3DES and md5 hmac, nothing special there.

Any ideas/suggestions how i could avoid those problems?


Any help would be greatly appreciated!


Regards,

Stefan

In article <bnuahu$mlq$02$>,
Stefan Dambeck <dc7ds_nospam_@gmx.de> wrote:
:i am building a VPN between several 836 Routers and a central PIX 515.
:The connection is built up above a ADSL Connection wich seems quite stable.
:Whereas the connection mostly works smoothly without loosing a single ping,
:the Tunnel sometimes get disrupted. When this happens, I see this message in
:the syslog on the PIX:

:rec'd IPSEC packet has invalid spi for destaddr=[outsideIP]

:I found an article on the CISCO website that describes a feature named
:Invalid Security Parameter Index Recovery

:Unfortunately, the IOS Version in use on the 836 does not already have that
:feature. And the feature also seems not to exist on the PIX.

What PIX software version are you using? According to the 6.1(5)
release notes, they have resolved

CSCeb28943 PIX fails to delete SA when recieving invalid-spi notify

It was also fixed in 6.2(3) and 6.3(2).
--
I've been working on a kernel
All the livelong night.
I've been working on a kernel
And it still won't work quite right. -- J. Benson & J. Doll

> What PIX software version are you using? According to the 6.1(5)
> release notes, they have resolved

Thanks for your quick answer!

Version on the PIX:

pix515# sh ver

Cisco PIX Firewall Version 6.2(2)
Cisco PIX Device Manager Version 2.1(1)

Compiled on Fri 07-Jun-02 17:49 by morlee


Version on the 836:

836#sh ver
Cisco Internetwork Operating System Software
IOS (tm) C836 Software (C836-K9O3Y6-M), Version 12.2(13)ZH, EARLY DEPLOYMENT
REL
EASE SOFTWARE (fc1)
Synched to technology version 12.2(14.5)T
TAC Support: http://www.cisco.com/tac
Copyright (c) 1986-2003 by cisco Systems, Inc.
Compiled Thu 24-Apr-03 21:27 by ealyon
Image text-base: 0x800131E8, data-base: 0x80B802BC

ROM: System Bootstrap, Version 12.2(11r)YV, RELEASE SOFTWARE (fc1)
ROM: C836 Software (C836-K9O3Y6-M), Version 12.2(13)ZH, EARLY DEPLOYMENT
RELEASE
SOFTWARE (fc1)


Regards,

Stefan

In article <bnubml$nug$02$>,
Stefan Dambeck <dc7ds_nospam_@gmx.de> wrote:
:> What PIX software version are you using? According to the 6.1(5)
:> release notes, they have resolved

:Thanks for your quick answer!

ix515# sh ver

:Cisco PIX Firewall Version 6.2(2)

Okay, so upgrade to 6.2(3) or later. If you don't have a support
contract, you should be able to get a version of 6.2(3)
by contacting the TAC and sending them this URL:

http://www.cisco.com/warp/public/707...0930-ssl.shtml


The security advisories list is at

http://www.cisco.com/en/US/products/...ries_list.html
[it's not the easiest thing to find.]
--
Disobey all self-referential sentences!