ScreenOS Firewalls (NOT SRX)
ScreenOS Firewalls (NOT SRX)

Re: IPsec tunnel received a packet with bad SPI

[ Edited ]
07.24.09   |  
‎07-24-2009 12:40 PM

Hi,

 

Yes, monitor rekey is only on "checked" on the SSG140 at the datacenter, all the ssg5's have that box "unchecked". 

 

Here's the get event:

 


2009-07-24 14:21:55 system info  00536 IKE 69.74..x.x Phase 2 msg ID
                                       8956d279: Completed negotiations with
                                       SPI fae14d56, tunnel ID 73, and
                                       lifetime 3600 seconds/0 KB.
2009-07-24 14:21:55 system alert 00026 IPSec tunnel on interface ethernet0/2
                                       with tunnel ID 0x49 received a packet
                                       with a bad SPI.
                                       69.74..x.x ->65.51..x.x /256, ESP,
                                       SPI 0xfae14d56, SEQ 0x1.
2009-07-24 14:21:55 system info  00536 IKE 69.74..x.x: Received a
                                       notification message for DOI 1 40001
                                       NOTIFY_NS_NHTB_INFORM.
2009-07-24 14:21:55 system info  00536 IKE 69.74..x.x Phase 2 msg ID
                                       8956d279: Responded to the peer's
                                       first message.

Message Edited by Clayton on 07-24-2009 12:42 PM
ScreenOS Firewalls (NOT SRX)

Re: IPsec tunnel received a packet with bad SPI

07.24.09   |  
‎07-24-2009 03:30 PM

Can you pleasea provide the complete get event or atleast for that 1 hours period.

The reason I am asking , I need to check the Bad SPI is coming at the time of rekey or it is coming randomly.

 

Thanks

Atif 

ScreenOS Firewalls (NOT SRX)

Re: IPsec tunnel received a packet with bad SPI

[ Edited ]
07.27.09   |  
‎07-27-2009 08:12 AM

Ok, here's the latest one below, this one does seem to correlate with rekeys.. not everyone does however. I will track this and let you know.

 

 

What are your thoughts ? 

 

 

2009-07-27 10:26:40 system info  00536 IKE 69.74.x.x Phase 2 msg ID
                                       f9aa75d9: Completed negotiations with
                                       SPI fae151b2, tunnel ID 73, and
                                       lifetime 3600 seconds/0 KB.
2009-07-27 10:26:40 system alert 00026 IPSec tunnel on interface ethernet0/2
                                       with tunnel ID 0x49 received a packet
                                       with a bad SPI.
                                       69.74.x.x->65.51.x.x10/256, ESP,
                                       SPI 0xfae151b2, SEQ 0x1.
2009-07-27 10:26:40 system info  00536 IKE 69.74.x.x: Received a
                                       notification message for DOI 1 40001
                                       NOTIFY_NS_NHTB_INFORM.
2009-07-27 10:26:40 system info  00536 IKE 69.74.x.x Phase 2 msg ID
                                       f9aa75d9: Responded to the peer's
                                       first message.
2009-07-27 10:26:40 system info  00536 IKE 69.74.x.x Phase 1: Completed
                                       Main mode negotiations with a
                                       28800-second lifetime.
2009-07-27 10:26:39 system info  00536 IKE 69.74.x.x Phase 1: Responder
                                       starts MAIN mode negotiations.

Message Edited by Clayton on 07-27-2009 08:15 AM
ScreenOS Firewalls (NOT SRX)

Re: IPsec tunnel received a packet with bad SPI

07.28.09   |  
‎07-28-2009 02:32 PM

Is it happen everytime at the time of rekey ? if not How often does it happen ?

 

Thanks

Atif

 

ScreenOS Firewalls (NOT SRX)

Re: IPsec tunnel received a packet with bad SPI

07.31.09   |  
‎07-31-2009 07:26 AM

After reviewing the logs I've determined it happens 95% of the time at reykey but occasionly does it wit no other entries in the logs at the same time.

 

Out of now 16 locations it only happens at the one location with any regularity, when it happens, it happens for the most part at rekey. The config is identical to the others other then the interface addresses.

 

I'm not loosing the tunnel but we do run IP Phones over this unit and it's a key location as it's a call center.

 

I'm hoping to avoid a problem by solving this now.

 

I appeciate the replies....

 

 

ScreenOS Firewalls (NOT SRX)

Re: IPsec tunnel received a packet with bad SPI

07.31.09   |  
‎07-31-2009 04:16 PM

Hi,

 

Please open a case with JTAC. JTAC engineer will help you out to collect the debug data which could help us to find the clue of the issue.

 

Thanks

Atif

ScreenOS Firewalls (NOT SRX)

Re: IPsec tunnel received a packet with bad SPI

10.22.09   |  
‎10-22-2009 11:18 AM

I have a case open, no luck so far.

ScreenOS Firewalls (NOT SRX)

Re: IPsec tunnel received a packet with bad SPI

12.21.09   |  
‎12-21-2009 11:04 AM

Hi,

 

I have had a case open for a long time on this. Still no luck. The techs have had me make lots of changes and collect lots of data from the firewalls but still no resolution.

 

If any of you Juniper guys want to look at the case notes:

2009-1020-0223 is the case number.

 

We could use the help. It's still a very live case.

ScreenOS Firewalls (NOT SRX)

Re: IPsec tunnel received a packet with bad SPI

01.08.10   |  
‎01-08-2010 11:24 PM

If both sides are ScreenOS boxes. Try turning on responder and initiator commit bit on both sides. The issue should be fixed. I guess problem is one side completes the rekey and starts encrypting the packets; where as other side is still trying to finish the rekey. Hopefully it helps.

 

set ike initiator-set-commit

set ike responder-set-commit

ScreenOS Firewalls (NOT SRX)

Re: IPsec tunnel received a packet with bad SPI

01.28.10   |  
‎01-28-2010 07:09 PM

For the command :

 

set ike initial-contact [ all-peers | single-gateway

name_str

]

 

what is the difference betweens these difference? thanks for advise

ScreenOS Firewalls (NOT SRX)

Re: IPsec tunnel received a packet with bad SPI

05.21.10   |  
‎05-21-2010 01:23 PM

Clayton,

   Did this ever get resolved?  I'm experiencing the same issue on a NS5GT.

-Joshua

 

ScreenOS Firewalls (NOT SRX)

Re: IPsec tunnel received a packet with bad SPI

04.06.11   |  
‎04-06-2011 10:55 AM

I would like to see an update on this also.

Jason J. Wald
Juniper Networks Certified
Internet Associate - FWV
ScreenOS Firewalls (NOT SRX)

Re: IPsec tunnel received a packet with bad SPI

[ Edited ]
04.15.11   |  
‎04-15-2011 09:31 AM

I wish I could say there was a resolution but everything Juniper support had me try did not work.  I was checking here just today to see if anyone came up with a solution.

ScreenOS Firewalls (NOT SRX)

Re: IPsec tunnel received a packet with bad SPI

09.07.11   |  
‎09-07-2011 01:19 AM

Hey everyone,

I know this post is very old, but maybe it's still interesting for someone :-) I got the same alert:

[00001] 2011-09-07 00:02:05 [Root]system-alert-00026: IPSec tunnel on interface ethernet0/0 with tunnel ID 0xe received a packet with a bad SPI. 108.xxx.xxx.xxx->212.xxx.xxx.xxx/xx, ESP, SPI 0xaba9519d, SEQ 0x1.

After comparing the settings on both sides, it turned out that the lifetime (phase 2 proposal) of the encryption key was set to different values - 3600 seconds on the remote side (108.xxx.xxx.xxx), 28800 seconds here on my side (212.xxx.xxx.xxx). So I modified the settings, set them to the same value and - what a surprise - it works, the alerts disappeared.

 

I hope I could help someone with this post.

 

Florian