This website uses Cookies. By clicking Accept, you agree to the storing of cookies on your device to enhance your community and translation experience. Read our Privacy Policy.
Click Preferences to customize your cookie settings.
Accept
Reject
Preferences

IKE protocol notification message received: INVALID-SPI (11).

cancel
Turn on suggestions
Auto-suggest helps you quickly narrow down your search results by suggesting possible matches as you type.
Showing results for 
Show  only  | Search instead for 
Did you mean: 
Announcements

IKE protocol notification message received: INVALID-SPI (11).

Ammar
L2 Linker

‎05-11-2017 11:12 AM

Dears,

 

I have a site to site VPN between PAN 7.1.6 and Cisco ASA 8.2.5, I'm receiving a lot of Invalid SPI error. I tried to reset the VPN many times and still having the same issue. This issue by the way is casusing a lot of packet dropes in the VPN

 

 

'IKE protocol notification message received: INVALID-SPI (11).'

 

Did any one faced a similer issue or have an idea on how to mitigate such issue ?

6 people had this problem.
17 REPLIES 17

athalman
L1 Bithead
In response to Aayush_Sibal

‎03-09-2021 06:04 AM

I've had this issue since December and have multiple tickets open with Palo and Rackspace where our ASA is terminated on the other end. Both parties have had multiple engineers looking into this and I still can't get it resolved. Really hoping to find a fix ASAP as it cuts off the tunnel and causes outages.

0 Likes Likes

lucagerm11
L0 Member

‎11-08-2022 03:00 AM - edited ‎11-08-2022 03:03 AM

Hi everyone, we also have the same problem. On one side we have an ASA and on the others side a Palo Alto fw. Randomly a tunnel vpn flapping. From Asa we have this loggin:

IKEv1 was unsuccessful at setting up a tunnel. Map Tag = xyz. Map Sequence Number = x.

Tunnel Manager has failed to establish an L2L SA. All configured IKE versions failed to establish the tunnel. Map Tag= xyz. Map Sequence Number = x.

 

and from Palo Alto we have this loggin:

IKE protocol notification message received: INVALID-SPI (11)

 

Was a solution found for this?

0 Likes Likes

athalman
L1 Bithead

‎11-08-2022 06:13 AM

Hey Ammar,

I had this exact same problem for months on one of my tunnels! Palo to ASA as well. I could have sworn it was an ISP issue, but turns out it was an upgrade on the Palo side that fixed the problem. I went from 9.1.9 to 10.1.5-h2 and that fixed my issue. Haven’t had an Invalid SPI error since.

0 Likes Likes
  • 30504 Views
  • 17 replies
  • 2 Likes
Like what you see?

Show your appreciation!

Click Like if a post is helpful to you or if you just want to show your support.

Click Accept as Solution to acknowledge that the answer to your question has been provided.

The button appears next to the replies on topics you’ve started. The member who gave the solution and all future visitors to this topic will appreciate it!

These simple actions take just seconds of your time, but go a long way in showing appreciation for community members and the LIVEcommunity as a whole!

The LIVEcommunity thanks you for your participation!

LEGAL NOTICES
RESOURCES
Khoros awards 2022
Copyright 2007 - 2024 - Palo Alto Networks