IKE protocol notification message received: INVALID-SPI (11).


Changes to the LIVEcommunity experience are coming soon... Here's what you need to know.

L7 Applicator

What if you apply commands below at ASA side to clear and resync SAs.


clear crypto isakmp

clear crypto sa

Enterprise Architect @ Cloud Carib www.cloudcarib.com
L2 Linker

i have tried many times to clear SA's (Phase1/2) and re-initae the VPN's but the same error appreares again and again.

L5 Sessionator

How does this behave? All traffic stops passing through that VPN? Does it recover eventually? Does it happen periodically?


Check time on both devices. And check SPIs for this tunnel on both sides when this error starts happening. Compare them if they match.


L2 Linker

i'm seeing this log once the problem started


iph1->ivm == NULL



L0 Member

I'm also facing this issue. Was a solution found for this?

L1 Bithead

I've had this issue since December and have multiple tickets open with Palo and Rackspace where our ASA is terminated on the other end. Both parties have had multiple engineers looking into this and I still can't get it resolved. Really hoping to find a fix ASAP as it cuts off the tunnel and causes outages.

Like what you see?

Show your appreciation!

Click Like if a post is helpful to you or if you just want to show your support.

Click Accept as Solution to acknowledge that the answer to your question has been provided.

The button appears next to the replies on topics you’ve started. The member who gave the solution and all future visitors to this topic will appreciate it!

These simple actions take just seconds of your time, but go a long way in showing appreciation for community members and the LIVEcommunity as a whole!

The LIVEcommunity thanks you for your participation!