SRX Services Gateway
Highlighted
SRX Services Gateway

Vrrp generating "%CRYPTO-4-RECVD_PKT_INV_SPI" errors

‎01-07-2020 11:25 AM

Hello

 

I have spotted a strange issue and not sure how to resolve it. Basically i have two routers with many vlans and each vlan have seperate virtual gw with vrrp protocol. Some vlans cross switches that are not mine to manage and i have recived a notice stating that my lan ip (vrrp logical ip) is generating "%CRYPTO-4-RECVD_PKT_INV_SPI" errors on switch log. Vrrp itself is working as expected, router A is master and B is bacup.

 

Exact error message, repeated every minute: Jan 6 14:18:09: %CRYPTO-4-RECVD_PKT_INV_SPI: decaps: rec'd IPSEC packet has invalid spi for testaddr=224.0.0.18, prot=51, spi=0XABABABAB(2880154539), srcaddr=10.0.1.253, input interface=GigabitEthernet0/0/9

 

vrrp config on router a: 

unit 999 {
    vlan-id 999;
    family inet {
        address 10.0.1.253/24 {
            vrrp-group 14 {
                virtual-address 10.0.1.1;
                priority 200;
                accept-data;
                authentication-type md5;
                authentication-key "password"; ## SECRET-DATA
                track {
                    interface xe-2/2/0 {
                        priority-cost 200;
                    }
                }
            }
        }
    }
}

vrrp config on router b:

unit 999 {
    vlan-id 999;
    family inet {
        address 10.0.1.254/24 {
            vrrp-group 14 {
                virtual-address 10.0.1.1;
                priority 100;
                accept-data;
                authentication-type md5;
                authentication-key "password"; ## SECRET-DATA
                track {
                    interface xe-2/2/0 {
                        priority-cost 100;
                    }
                }
            }
        }
    }
}

 

4 REPLIES 4
Highlighted
SRX Services Gateway

Re: Vrrp generating "%CRYPTO-4-RECVD_PKT_INV_SPI" errors

‎01-07-2020 02:03 PM

Hi Egert,

 

Just going by the log provided from the switch, its pretty interesting that the switch sees the VRRP packet as an IPsec packet and tries to decapsulate it in which it fails.
1. this is a VRRP packet destined to 224.0.0.18 so it should just switch it unless it is also running VRRP.
2. The IP protocol found by the switch seems to be "prot=51" which is for AH. the VRRP packet should have ip proto 112 in it.

Just took a quick packet capture on one of the vSRXs in my lab and i could see it using the correct protocol number in the VRRP packet. 

wonder if the packet is getting read incorrectly by the intermediate device in question.

Let us know if you find out the solution. it does not appear to be VRRP device issue.

 

Thanks,

Kinshuk

 

Highlighted
SRX Services Gateway

Re: Vrrp generating "%CRYPTO-4-RECVD_PKT_INV_SPI" errors

[ Edited ]
‎01-07-2020 09:13 PM

Hello,

 

VRRP for IPv4 uses IPSec AH to authenticate packets, see https://www.juniper.net/documentation/en_US/junos/topics/task/configuration/vrrp-authentication-for-...

 

 


@Egert wrote:

Some vlans cross switches that are not mine to manage and i have recived a notice stating that my lan ip (vrrp logical ip) is generating "%CRYPTO-4-RECVD_PKT_INV_SPI" errors on switch log. Vrrp itself is working as expected, router A is master and B is bacup.

 

 

 

Someone managing these VLANs has hijacked Your router IP 10.0.1.253 && also decided to use VRRP but his/her password is not same as Yours, thankfully. Please ask for packet capture as suggested by other poster, and look for src MAC.

I hope You are not using common words such as "password123" for Your VRRP authentication, otherwise You'd end up having Your traffic sent to wrong router Smiley LOL

 

HTH

Thx

Alex

_____________________________________________________________________

Please ask Your Juniper account team about Juniper Professional Services offerings.
Juniper PS can design, test & build the network/part of the network as per Your requirements

+++++++++++++++++++++++++++++++++++++++++++++

Accept as Solution = cool !
Accept as Solution+Kudo = You are a Star !
Highlighted
SRX Services Gateway

Re: Vrrp generating "%CRYPTO-4-RECVD_PKT_INV_SPI" errors

‎01-08-2020 12:51 AM

i dont realy think that there are some duplicate ip-s on that specific vlan. However i found something that i would like to clarify. When i set vrrp authentication-key with md5, should the secret data be identical on both routers ? 

 

For example if i set "Test1234":

Router A: $9$78NsgGUHm5FiktuB1hcwY2gGD

Router B: $9$AHBLt1EleWx-wM8JGji.mBIRElK

 

On the other hand vrrp comes up as backup on router B, if password would be wrong then both would be active correct ?

Highlighted
SRX Services Gateway

Re: Vrrp generating "%CRYPTO-4-RECVD_PKT_INV_SPI" errors

‎01-10-2020 05:14 AM

Hello,

 


@Egert wrote:

When i set vrrp authentication-key with md5, should the secret data be identical on both routers ? 

 

 

No. Reading the source code of Juniper $9$ encryption algo shows that encrypted password starts with $9${salt}{random number} so the crypto result is different when performed in different places.

The source code of Juniper $9$ encryption algorithm is freely available on the internet

Java https://forums.juniper.net/t5/Junos/Password-encryption-algorithm-in-Junos/td-p/96208

Perl https://metacpan.org/pod/distribution/Crypt-Juniper/lib/Crypt/Juniper.pm

HTH

Thx

Alex

 

 

 

_____________________________________________________________________

Please ask Your Juniper account team about Juniper Professional Services offerings.
Juniper PS can design, test & build the network/part of the network as per Your requirements

+++++++++++++++++++++++++++++++++++++++++++++

Accept as Solution = cool !
Accept as Solution+Kudo = You are a Star !
Feedback