IKE protocol notification message received: INVALID-SPI (11).

cancel
Showing results for 
Show  only  | Search instead for 
Did you mean: 
Announcements

IKE protocol notification message received: INVALID-SPI (11).

L2 Linker

Dears,

 

I have a site to site VPN between PAN 7.1.6 and Cisco ASA 8.2.5, I'm receiving a lot of Invalid SPI error. I tried to reset the VPN many times and still having the same issue. This issue by the way is casusing a lot of packet dropes in the VPN

 

 

'IKE protocol notification message received: INVALID-SPI (11).'

 

Did any one faced a similer issue or have an idea on how to mitigate such issue ?

17 REPLIES 17

I've had this issue since December and have multiple tickets open with Palo and Rackspace where our ASA is terminated on the other end. Both parties have had multiple engineers looking into this and I still can't get it resolved. Really hoping to find a fix ASAP as it cuts off the tunnel and causes outages.

L0 Member

Hi everyone, we also have the same problem. On one side we have an ASA and on the others side a Palo Alto fw. Randomly a tunnel vpn flapping. From Asa we have this loggin:

IKEv1 was unsuccessful at setting up a tunnel. Map Tag = xyz. Map Sequence Number = x.

Tunnel Manager has failed to establish an L2L SA. All configured IKE versions failed to establish the tunnel. Map Tag= xyz. Map Sequence Number = x.

 

and from Palo Alto we have this loggin:

IKE protocol notification message received: INVALID-SPI (11)

 

Was a solution found for this?

L1 Bithead

Hey Ammar,

I had this exact same problem for months on one of my tunnels! Palo to ASA as well. I could have sworn it was an ISP issue, but turns out it was an upgrade on the Palo side that fixed the problem. I went from 9.1.9 to 10.1.5-h2 and that fixed my issue. Haven’t had an Invalid SPI error since.

  • 30506 Views
  • 17 replies
  • 2 Likes
Like what you see?

Show your appreciation!

Click Like if a post is helpful to you or if you just want to show your support.

Click Accept as Solution to acknowledge that the answer to your question has been provided.

The button appears next to the replies on topics you’ve started. The member who gave the solution and all future visitors to this topic will appreciate it!

These simple actions take just seconds of your time, but go a long way in showing appreciation for community members and the LIVEcommunity as a whole!

The LIVEcommunity thanks you for your participation!