ScreenOS Firewalls (NOT SRX)
Showing results for 
Search instead for 
Do you mean 
Reply
Contributor
Posts: 31
Registered: ‎01-06-2009
0 Kudos

Re: IPsec tunnel received a packet with bad SPI

[ Edited ]

Hi,

 

Yes, monitor rekey is only on "checked" on the SSG140 at the datacenter, all the ssg5's have that box "unchecked". 

 

Here's the get event:

 


2009-07-24 14:21:55 system info  00536 IKE 69.74..x.x Phase 2 msg ID
                                       8956d279: Completed negotiations with
                                       SPI fae14d56, tunnel ID 73, and
                                       lifetime 3600 seconds/0 KB.
2009-07-24 14:21:55 system alert 00026 IPSec tunnel on interface ethernet0/2
                                       with tunnel ID 0x49 received a packet
                                       with a bad SPI.
                                       69.74..x.x ->65.51..x.x /256, ESP,
                                       SPI 0xfae14d56, SEQ 0x1.
2009-07-24 14:21:55 system info  00536 IKE 69.74..x.x: Received a
                                       notification message for DOI 1 40001
                                       NOTIFY_NS_NHTB_INFORM.
2009-07-24 14:21:55 system info  00536 IKE 69.74..x.x Phase 2 msg ID
                                       8956d279: Responded to the peer's
                                       first message.

Message Edited by Clayton on 07-24-2009 12:42 PM
Super Contributor
Posts: 287
Registered: ‎10-21-2008
0 Kudos

Re: IPsec tunnel received a packet with bad SPI

Can you pleasea provide the complete get event or atleast for that 1 hours period.

The reason I am asking , I need to check the Bad SPI is coming at the time of rekey or it is coming randomly.

 

Thanks

Atif 

Contributor
Posts: 31
Registered: ‎01-06-2009
0 Kudos

Re: IPsec tunnel received a packet with bad SPI

[ Edited ]

Ok, here's the latest one below, this one does seem to correlate with rekeys.. not everyone does however. I will track this and let you know.

 

 

What are your thoughts ? 

 

 

2009-07-27 10:26:40 system info  00536 IKE 69.74.x.x Phase 2 msg ID
                                       f9aa75d9: Completed negotiations with
                                       SPI fae151b2, tunnel ID 73, and
                                       lifetime 3600 seconds/0 KB.
2009-07-27 10:26:40 system alert 00026 IPSec tunnel on interface ethernet0/2
                                       with tunnel ID 0x49 received a packet
                                       with a bad SPI.
                                       69.74.x.x->65.51.x.x10/256, ESP,
                                       SPI 0xfae151b2, SEQ 0x1.
2009-07-27 10:26:40 system info  00536 IKE 69.74.x.x: Received a
                                       notification message for DOI 1 40001
                                       NOTIFY_NS_NHTB_INFORM.
2009-07-27 10:26:40 system info  00536 IKE 69.74.x.x Phase 2 msg ID
                                       f9aa75d9: Responded to the peer's
                                       first message.
2009-07-27 10:26:40 system info  00536 IKE 69.74.x.x Phase 1: Completed
                                       Main mode negotiations with a
                                       28800-second lifetime.
2009-07-27 10:26:39 system info  00536 IKE 69.74.x.x Phase 1: Responder
                                       starts MAIN mode negotiations.

Message Edited by Clayton on 07-27-2009 08:15 AM
Super Contributor
Posts: 287
Registered: ‎10-21-2008
0 Kudos

Re: IPsec tunnel received a packet with bad SPI

Is it happen everytime at the time of rekey ? if not How often does it happen ?

 

Thanks

Atif

 

Contributor
Posts: 31
Registered: ‎01-06-2009
0 Kudos

Re: IPsec tunnel received a packet with bad SPI

After reviewing the logs I've determined it happens 95% of the time at reykey but occasionly does it wit no other entries in the logs at the same time.

 

Out of now 16 locations it only happens at the one location with any regularity, when it happens, it happens for the most part at rekey. The config is identical to the others other then the interface addresses.

 

I'm not loosing the tunnel but we do run IP Phones over this unit and it's a key location as it's a call center.

 

I'm hoping to avoid a problem by solving this now.

 

I appeciate the replies....

 

 

Super Contributor
Posts: 287
Registered: ‎10-21-2008
0 Kudos

Re: IPsec tunnel received a packet with bad SPI

Hi,

 

Please open a case with JTAC. JTAC engineer will help you out to collect the debug data which could help us to find the clue of the issue.

 

Thanks

Atif

Contributor
Posts: 31
Registered: ‎01-06-2009
0 Kudos

Re: IPsec tunnel received a packet with bad SPI

I have a case open, no luck so far.

Contributor
Posts: 31
Registered: ‎01-06-2009
0 Kudos

Re: IPsec tunnel received a packet with bad SPI

Hi,

 

I have had a case open for a long time on this. Still no luck. The techs have had me make lots of changes and collect lots of data from the firewalls but still no resolution.

 

If any of you Juniper guys want to look at the case notes:

2009-1020-0223 is the case number.

 

We could use the help. It's still a very live case.

Juniper Employee
Posts: 15
Registered: ‎01-08-2010
0 Kudos

Re: IPsec tunnel received a packet with bad SPI

If both sides are ScreenOS boxes. Try turning on responder and initiator commit bit on both sides. The issue should be fixed. I guess problem is one side completes the rekey and starts encrypting the packets; where as other side is still trying to finish the rekey. Hopefully it helps.

 

set ike initiator-set-commit

set ike responder-set-commit

Contributor
Posts: 56
Registered: ‎11-03-2008
0 Kudos

Re: IPsec tunnel received a packet with bad SPI

For the command :

 

set ike initial-contact [ all-peers | single-gateway

name_str

]

 

what is the difference betweens these difference? thanks for advise

Contributor
Posts: 71
Registered: ‎05-03-2010
0 Kudos

Re: IPsec tunnel received a packet with bad SPI

Clayton,

   Did this ever get resolved?  I'm experiencing the same issue on a NS5GT.

-Joshua

 

Contributor
Posts: 110
Registered: ‎06-27-2008
0 Kudos

Re: IPsec tunnel received a packet with bad SPI

I would like to see an update on this also.

Jason J. Wald
Juniper Networks Certified
Internet Associate - FWV
Contributor
Posts: 31
Registered: ‎01-06-2009
0 Kudos

Re: IPsec tunnel received a packet with bad SPI

[ Edited ]

I wish I could say there was a resolution but everything Juniper support had me try did not work.  I was checking here just today to see if anyone came up with a solution.

Visitor
Posts: 2
Registered: ‎05-23-2010
0 Kudos

Re: IPsec tunnel received a packet with bad SPI

Hey everyone,

I know this post is very old, but maybe it's still interesting for someone :-) I got the same alert:

[00001] 2011-09-07 00:02:05 [Root]system-alert-00026: IPSec tunnel on interface ethernet0/0 with tunnel ID 0xe received a packet with a bad SPI. 108.xxx.xxx.xxx->212.xxx.xxx.xxx/xx, ESP, SPI 0xaba9519d, SEQ 0x1.

After comparing the settings on both sides, it turned out that the lifetime (phase 2 proposal) of the encryption key was set to different values - 3600 seconds on the remote side (108.xxx.xxx.xxx), 28800 seconds here on my side (212.xxx.xxx.xxx). So I modified the settings, set them to the same value and - what a surprise - it works, the alerts disappeared.

 

I hope I could help someone with this post.

 

Florian