Thanks, it's acceptable if the two side are negotiating. But the time it happened is unpredictable

Date / Time Level Description
2007-11-11 03:15:57 alert IPSec tunnel on interface ethernet3/2 with tunnel ID 0x1a received a packet with a bad SPI.
139.130.*.*->202.122.*.*/136, ESP, SPI 0xc57971e9, SEQ 0x1.
2007-11-09 12:52:23 alert IPSec tunnel on interface ethernet3/2 with tunnel ID 0x30 received a packet with a bad SPI.
139.130.*.*->202.122.*.*/128, ESP, SPI 0x4a6471e9, SEQ 0x1.
2007-11-05 12:21:12 alert IPSec tunnel on interface ethernet3/2 with tunnel ID 0x17 received a packet with a bad SPI.
139.130.*.*->202.122.*.*/112, ESP, SPI 0xa42a71e9, SEQ 0x132.
2007-11-05 12:21:01 alert IPSec tunnel on interface ethernet3/2 with tunnel ID 0x17 received a packet with a bad SPI.
139.130.*.*->202.122.*.*/112, ESP, SPI 0xa42a71e9, SEQ 0x130.
... ... (this time it lasted for 20 minutes, alert every some seconds, i can't remember what i was doing at the moment)

But anyway, the tunnel is set up before i came and seems like it has been always working fine.

We too receive Bad SPI messages, i.e.

2008-02-01 14:12:42 Local0.Alert 192.168.168.3 ns5gt: NetScreen device_id=ns5gt [Root]system-alert-00026: IPSec tunnel on int untrust with tunnel ID 0x3 received a packet with a bad SPI. 88.97.***.***->81.3.**.**/**, ESP, SPI 0xe7af, SEQ 0x1 (2008-02-01 14:25:28)000>

(Note: IP address replaced with *'s for security reasons).

We only one have bad SPI entry every one to three days or so.

The VPN is created by two Juniper-NS5GTs running firmware 5.3.0r4.0. The remote Netgear has an ADSL feed attached.

The VPN is used to facilitate online ordering between a web server and a booking office system and passes credit card details.

I'd like to know two things:

1) What effect the packet with the Bad SPI might have upon a person's online ordering "seesion". Might the session be destroyed?

2) How can we stop them happening and, if they don't destroy the session, does it matter if we can't get rid of them?

Thanks.

same here... on different location (franchise companies in different cities in holland) towards our datacentre:

 

2008-09-29 16:06:11 alert IPSec tunnel on int untrust with tunnel ID 0x6 received a packet with a bad SPI. 10.0.0.138->80.101.***.***/72, ESP, SPI 0x0, SEQ 0x45000548

2008-09-29 16:05:53 alert IPSec tunnel on int untrust with tunnel ID 0x6 received a packet with a bad SPI. 10.0.0.138->80.101.***.***/72, ESP, SPI 0x0, SEQ 0x450000c0

2008-09-29 12:47:44 alert IPSec tunnel on int untrust with tunnel ID 0x6 received a packet with a bad SPI. 10.0.0.138->80.101.***.***/72, ESP, SPI 0x0, SEQ 0x45000548

2008-09-29 12:47:26 alert IPSec tunnel on int untrust with tunnel ID 0x6 received a packet with a bad SPI. 10.0.0.138->80.101.***.***/72, ESP, SPI 0x0, SEQ 0x45000098

2008-09-29 08:26:08 alert IPSec tunnel on int untrust with tunnel ID 0x6 received a packet with a bad SPI. 10.0.0.138->80.101.***.***/72, ESP, SPI 0x0, SEQ 0x45000548

2008-09-29 08:25:50 alert IPSec tunnel on int untrust with tunnel ID 0x6 received a packet with a bad SPI. 10.0.0.138->80.101.***.***/72, ESP, SPI 0x0, SEQ 0x450000c8

the result is that the tunnels are being dropped before, that is after a couple of minutes, a new connection is possible. We work with Terminal Server connections (mstsc.exe). I have now set the bufferlimit from 10 seconds to 90 seconds to see wether this will solve the issue. I have also seen that both peers have the rekeying interval of 3600 seconds, but the problem is not vacant on every location (aka netscreen at the franchise dealer). The problem only occurs on a couple of locations, not companywide.

 

how can i adjust the settings? more the less: should I?

 

anyone an idea?

 

thnx

 

Greetings 

I'd be glad if my questions were answered too, but as it's been two months since I left them I guess there is not much chance.

 

The Jupiter Netscreen VPN has been so unreliable we are now replacing it. Every time there is an interruption in our ADSL feed (for instance our provider sometimes reboots it in the small hours) the VPN is lost and does not recover until at least one of the Netscreens has been rebooted. Often both Netscreens require rebooting.

 

We've found the devices entirely unreliable and Jupiters technical help pretty unresponsive and unhelpful.

 

MC

We have had no problems with VPNs re-establishing themselves automatically after a link goes down. Perhaps it is something with your local configuration, and not with the Juniper devices.

 

Also, I have found Juniper tech support to be far superior to Cisco, VMWare, Dell, or any other vendor I have delt with. Unless you really meant "Jupiter", in which case you are on the wrong site. 

http://kb.juniper.net/index?page=content&id=KB10091&pmv=print

 

 

Just tried this, changed it to 40