Urgent Problem: VPN Trouble CISCO 836 <-> PIX 515

Discussion in 'Cisco' started by Stefan Dambeck, Oct 31, 2003.

  1. Hi there,

    i am building a VPN between several 836 Routers and a central PIX 515.
    The connection is built up above a ADSL Connection wich seems quite stable.
    Whereas the connection mostly works smoothly without loosing a single ping,
    the Tunnel sometimes get disrupted. When this happens, I see this message in
    the syslog on the PIX:

    rec'd IPSEC packet has invalid spi for destaddr=[outsideIP]

    I found an article on the CISCO website that describes a feature named
    Invalid Security Parameter Index Recovery

    Unfortunately, the IOS Version in use on the 836 does not already have that
    feature. And the feature also seems not to exist on the PIX.

    I use Preshared Keys with 3DES and md5 hmac, nothing special there.

    Any ideas/suggestions how i could avoid those problems?


    Any help would be greatly appreciated!


    Regards,

    Stefan
    Stefan Dambeck, Oct 31, 2003
    #1
    1. Advertising

  2. In article <bnuahu$mlq$02$-online.com>,
    Stefan Dambeck <> wrote:
    :i am building a VPN between several 836 Routers and a central PIX 515.
    :The connection is built up above a ADSL Connection wich seems quite stable.
    :Whereas the connection mostly works smoothly without loosing a single ping,
    :the Tunnel sometimes get disrupted. When this happens, I see this message in
    :the syslog on the PIX:

    :rec'd IPSEC packet has invalid spi for destaddr=[outsideIP]

    :I found an article on the CISCO website that describes a feature named
    :Invalid Security Parameter Index Recovery

    :Unfortunately, the IOS Version in use on the 836 does not already have that
    :feature. And the feature also seems not to exist on the PIX.

    What PIX software version are you using? According to the 6.1(5)
    release notes, they have resolved

    CSCeb28943 PIX fails to delete SA when recieving invalid-spi notify

    It was also fixed in 6.2(3) and 6.3(2).
    --
    I've been working on a kernel
    All the livelong night.
    I've been working on a kernel
    And it still won't work quite right. -- J. Benson & J. Doll
    Walter Roberson, Oct 31, 2003
    #2
    1. Advertising

  3. > What PIX software version are you using? According to the 6.1(5)
    > release notes, they have resolved


    Thanks for your quick answer!

    Version on the PIX:

    pix515# sh ver

    Cisco PIX Firewall Version 6.2(2)
    Cisco PIX Device Manager Version 2.1(1)

    Compiled on Fri 07-Jun-02 17:49 by morlee


    Version on the 836:

    836#sh ver
    Cisco Internetwork Operating System Software
    IOS (tm) C836 Software (C836-K9O3Y6-M), Version 12.2(13)ZH, EARLY DEPLOYMENT
    REL
    EASE SOFTWARE (fc1)
    Synched to technology version 12.2(14.5)T
    TAC Support: http://www.cisco.com/tac
    Copyright (c) 1986-2003 by cisco Systems, Inc.
    Compiled Thu 24-Apr-03 21:27 by ealyon
    Image text-base: 0x800131E8, data-base: 0x80B802BC

    ROM: System Bootstrap, Version 12.2(11r)YV, RELEASE SOFTWARE (fc1)
    ROM: C836 Software (C836-K9O3Y6-M), Version 12.2(13)ZH, EARLY DEPLOYMENT
    RELEASE
    SOFTWARE (fc1)


    Regards,

    Stefan
    Stefan Dambeck, Oct 31, 2003
    #3
  4. In article <bnubml$nug$02$-online.com>,
    Stefan Dambeck <> wrote:
    :> What PIX software version are you using? According to the 6.1(5)
    :> release notes, they have resolved

    :Thanks for your quick answer!

    :pix515# sh ver

    :Cisco PIX Firewall Version 6.2(2)

    Okay, so upgrade to 6.2(3) or later. If you don't have a support
    contract, you should be able to get a version of 6.2(3)
    by contacting the TAC and sending them this URL:

    http://www.cisco.com/warp/public/707/cisco-sa-20030930-ssl.shtml


    The security advisories list is at

    http://www.cisco.com/en/US/products/hw/vpndevc/ps2030/prod_security_advisories_list.html
    [it's not the easiest thing to find.]
    --
    Disobey all self-referential sentences!
    Walter Roberson, Oct 31, 2003
    #4
    1. Advertising

Want to reply to this thread or ask your own question?

It takes just 2 minutes to sign up (and it's free!). Just click the sign up button to choose a username and then you can ask your own questions on the forum.
Similar Threads
  1. Replies:
    0
    Views:
    6,914
  2. Wolfgang Gaisbauer

    VPN Cisco 836

    Wolfgang Gaisbauer, Jun 11, 2005, in forum: Cisco
    Replies:
    1
    Views:
    705
  3. syn_NOSPAM_uw

    Cisco 836 and VPN

    syn_NOSPAM_uw, Dec 26, 2005, in forum: Cisco
    Replies:
    7
    Views:
    4,713
    syn_NOSPAM_uw
    Dec 30, 2005
  4. Scott Townsend
    Replies:
    8
    Views:
    690
    Roman Nakhmanson
    Feb 22, 2006
  5. Stephen M
    Replies:
    1
    Views:
    642
    mcaissie
    Nov 14, 2006
Loading...

Share This Page