‘/kernel: IPv6 ESP input: no key association found for spi xxxxxx’

This article provides information about the /kernel: IPv6 ESP input: no key association found for spi xxxxxx syslog message and on how to avoid this message:

This kernel message means that the remote IPsec peer still believes that an outstanding Security Association(SA) is defined and it is sending encrypted packets that the router does not understand. When a router receives a ESP encrpted packet from the peer and it does not have any proper SA corresponding to SPI <spi> that is specified by the ESP header, you will see this message.

A SA device is the establishment of shared security attributes on the IPsec connection to support secure communication and it includes attributes, such as SPI, protocol (AH/ESP), mode (Tunnel/Transport), encryption (DES/3DES/AES), authentications, auth-key, sequence counter, DSCP, Path MTU, IP address on tunnel end points, and SA lifetime. If these attributes are changes, when the IPsec tunnel is up, and some attributes in the ESP header of incoming encrypted packets are not found in the established SA, you will probably see the message.

When this message is generated, the packets are dropped; even though the IPsec tunnel is up. The IPsec tunnel will remain established, until the tunnel session expires.

This behavior is not a bug.

This issue will be triggered by a configuration change of the IPsec tunnel attributes, when the tunnel is up. As a workaround, avoid configuration changes, when the tunnel is in use, and do not de-activate the relevant configuration.

You should de-activate the specific IPsec tunnel on both of the routers, before changing these attributes, and then activate the tunnel. After this is done, the IPv6 ESP input: no key association spi xxxxxx syslog message will no longer be generated.