Config Router

  • Google Sheets
  • CCNA Online training
    • CCNA
  • CISCO Lab Guides
    • CCNA Security Lab Manual With Solutions
    • CCNP Route Lab Manual with Solutions
    • CCNP Switch Lab Manual with Solutions
  • Juniper
  • Linux
  • DevOps Tutorials
  • Python Array
You are here: Home / Juniper / ‘/kernel: IPv6 ESP input: no key association found for spi xxxxxx’

‘/kernel: IPv6 ESP input: no key association found for spi xxxxxx’

August 30, 2016 by Marques Brownlee

This article provides information about the /kernel: IPv6 ESP input: no key association found for spi xxxxxx syslog message and on how to avoid this message:

% grep -i IPv6 messages
Dec 28 10:35:35.907 Jam-re0 /kernel: IPv6 ESP input: no key association found for spi 3715243453
Dec 28 10:40:28.980 Jam-re0 /kernel: IPv6 ESP input: no key association found for spi 3952502221
Dec 28 10:42:56.918 Jam-re0 /kernel: IPv6 ESP input: no key association found for spi 135647907
Dec 28 10:44:21.797 Jam-re0 /kernel: IPv6 ESP input: no key association found for spi 3510960257
Dec 28 10:47:52.994 Jam-re0 /kernel: IPv6 ESP input: no key association found for spi 844099669
Dec 28 10:50:20.871 Jam-re0 /kernel: IPv6 ESP input: no key association found for spi 3317616808
Dec 28 10:52:48.926 Jam-re0 /kernel: IPv6 ESP input: no key association found for spi 648115457
Dec 28 10:55:17.066 Jam-re0 /kernel: IPv6 ESP input: no key association found for spi 1091746910

This kernel message means that the remote IPsec peer still believes that an outstanding Security Association(SA) is defined and it is sending encrypted packets that the router does not understand. When a router receives a ESP encrpted packet from the peer and it does not have any proper SA corresponding to SPI <spi> that is specified by the ESP header, you will see this message.

A SA device is the establishment of shared security attributes on the IPsec connection to support secure communication and it includes attributes, such as SPI, protocol (AH/ESP), mode (Tunnel/Transport), encryption (DES/3DES/AES), authentications, auth-key, sequence counter, DSCP, Path MTU, IP address on tunnel end points, and SA lifetime. If these attributes are changes, when the IPsec tunnel is up, and some attributes in the ESP header of incoming encrypted packets are not found in the established SA, you will probably see the message.

When this message is generated, the packets are dropped; even though the IPsec tunnel is up. The IPsec tunnel will remain established, until the tunnel session expires.

This behavior is not a bug.

This issue will be triggered by a configuration change of the IPsec tunnel attributes, when the tunnel is up. As a workaround, avoid configuration changes, when the tunnel is in use, and do not de-activate the relevant configuration.

You should de-activate the specific IPsec tunnel on both of the routers, before changing these attributes, and then activate the tunnel. After this is done, the IPv6 ESP input: no key association spi xxxxxx syslog message will no longer be generated.

Related

Filed Under: Juniper

Recent Posts

  • How do I give user access to Jenkins?
  • What is docker volume command?
  • What is the date format in Unix?
  • What is the difference between ARG and ENV Docker?
  • What is rsync command Linux?
  • How to Add Music to Snapchat 2021 Android? | How to Search, Add, Share Songs on Snapchat Story?
  • How to Enable Snapchat Notifications for Android & iPhone? | Steps to Turn on Snapchat Bitmoji Notification
  • Easy Methods to Fix Snapchat Camera Not Working Black Screen Issue | Reasons & Troubleshooting Tips to Solve Snapchat Camera Problems
  • Detailed Procedure for How to Update Snapchat on iOS 14 for Free
  • What is Snapchat Spotlight Feature? How to Make a Spotlight on Snapchat?
  • Snapchat Hack Tutorial 2021: Can I hack a Snapchat Account without them knowing?

Copyright © 2025 · News Pro Theme on Genesis Framework · WordPress · Log in