I have spotted a strange issue and not sure how to resolve it. Basically i have two routers with many vlans and each vlan have seperate virtual gw with vrrp protocol. Some vlans cross switches that are not mine to manage and i have recived a notice stating that my lan ip (vrrp logical ip) is generating "%CRYPTO-4-RECVD_PKT_INV_SPI" errors on switch log. Vrrp itself is working as expected, router A is master and B is bacup.
Exact error message, repeated every minute: Jan 6 14:18:09: %CRYPTO-4-RECVD_PKT_INV_SPI: decaps: rec'd IPSEC packet has invalid spi for testaddr=220.127.116.11, prot=51, spi=0XABABABAB(2880154539), srcaddr=10.0.1.253, input interface=GigabitEthernet0/0/9
Just going by the log provided from the switch, its pretty interesting that the switch sees the VRRP packet as an IPsec packet and tries to decapsulate it in which it fails. 1. this is a VRRP packet destined to 18.104.22.168 so it should just switch it unless it is also running VRRP. 2. The IP protocol found by the switch seems to be "prot=51" which is for AH. the VRRP packet should have ip proto 112 in it.
Just took a quick packet capture on one of the vSRXs in my lab and i could see it using the correct protocol number in the VRRP packet.
wonder if the packet is getting read incorrectly by the intermediate device in question.
Let us know if you find out the solution. it does not appear to be VRRP device issue.
Some vlans cross switches that are not mine to manage and i have recived a notice stating that my lan ip (vrrp logical ip) is generating "%CRYPTO-4-RECVD_PKT_INV_SPI" errors on switch log. Vrrp itself is working as expected, router A is master and B is bacup.
Someone managing these VLANs has hijacked Your router IP 10.0.1.253 && also decided to use VRRP but his/her password is not same as Yours, thankfully. Please ask for packet capture as suggested by other poster, and look for src MAC.
I hope You are not using common words such as "password123" for Your VRRP authentication, otherwise You'd end up having Your traffic sent to wrong router
i dont realy think that there are some duplicate ip-s on that specific vlan. However i found something that i would like to clarify. When i set vrrp authentication-key with md5, should the secret data be identical on both routers ?
For example if i set "Test1234":
Router A: $9$78NsgGUHm5FiktuB1hcwY2gGD
Router B: $9$AHBLt1EleWx-wM8JGji.mBIRElK
On the other hand vrrp comes up as backup on router B, if password would be wrong then both would be active correct ?