Frank- I'll contact you directly about this. On Fri, Dec 18, 2020 at 1:20 PM Frank Bulk <frnkblk@iname.com> wrote:
Curious if someone can point me in the right direction. In the last three days our core router (Cisco 7609) has logged the following events:
Dec 16 19:04:59.027 CST: %CRYPTO-4-RECVD_PKT_INV_SPI: decaps: rec'd IPSEC packet has invalid spi for destaddr=<redacted>, prot=50, spi=0xEF7ED795(4018067349), srcaddr=68.180.160.18, input interface=Vlan20 Dec 16 20:41:47.822 CST: %CRYPTO-4-RECVD_PKT_INV_SPI: decaps: rec'd IPSEC packet has invalid spi for destaddr=<redacted>, prot=50, spi=0xEF7ED795(4018067349), srcaddr=203.84.212.18, input interface=Vlan20 Dec 16 21:28:12.667 CST: %CRYPTO-4-RECVD_PKT_INV_SPI: decaps: rec'd IPSEC packet has invalid spi for destaddr=<redacted>, prot=50, spi=0xEF7ED795(4018067349), srcaddr=68.180.160.36, input interface=Vlan21 Dec 16 22:22:40.558 CST: %CRYPTO-4-RECVD_PKT_INV_SPI: decaps: rec'd IPSEC packet has invalid spi for destaddr=<redacted>, prot=50, spi=0xEF7ED795(4018067349), srcaddr=68.180.160.104, input interface=Vlan21 Dec 16 22:42:17.404 CST: %CRYPTO-4-RECVD_PKT_INV_SPI: decaps: rec'd IPSEC packet has invalid spi for destaddr=<redacted>, prot=50, spi=0xEF7ED795(4018067349), srcaddr=68.180.160.104, input interface=Vlan20 Dec 17 00:04:34.704 CST: %CRYPTO-4-RECVD_PKT_INV_SPI: decaps: rec'd IPSEC packet has invalid spi for destaddr=<redacted>, prot=50, spi=0xEF7ED795(4018067349), srcaddr=68.180.160.34, input interface=Vlan21 Dec 17 00:05:41.656 CST: %CRYPTO-4-RECVD_PKT_INV_SPI: decaps: rec'd IPSEC packet has invalid spi for destaddr=<redacted>, prot=50, spi=0xEF7ED795(4018067349), srcaddr=68.180.160.103, input interface=Vlan20 Dec 17 08:54:29.583 CST: %CRYPTO-4-RECVD_PKT_INV_SPI: decaps: rec'd IPSEC packet has invalid spi for destaddr=<redacted>, prot=50, spi=0x4CF4BE5D(1291107933), srcaddr=68.180.160.104, input interface=Vlan21 Dec 17 09:20:31.881 CST: %CRYPTO-4-RECVD_PKT_INV_SPI: decaps: rec'd IPSEC packet has invalid spi for destaddr=<redacted>, prot=50, spi=0x4CF4BE5D(1291107933), srcaddr=68.180.160.37, input interface=Vlan21 Dec 17 19:45:29.615 CST: %CRYPTO-4-RECVD_PKT_INV_SPI: decaps: rec'd IPSEC packet has invalid spi for destaddr=<redacted>, prot=50, spi=0x4CF4BE5D(1291107933), srcaddr=203.84.212.36, input interface=Vlan20 Dec 17 19:59:52.663 CST: %CRYPTO-4-RECVD_PKT_INV_SPI: decaps: rec'd IPSEC packet has invalid spi for destaddr=<redacted>, prot=50, spi=0x4CF4BE5D(1291107933), srcaddr=203.84.212.24, input interface=Vlan20 Dec 17 23:20:02.869 CST: %CRYPTO-4-RECVD_PKT_INV_SPI: decaps: rec'd IPSEC packet has invalid spi for destaddr=<redacted>, prot=50, spi=0x4CF4BE5D(1291107933), srcaddr=68.180.160.99, input interface=Vlan21 Dec 18 00:15:19.536 CST: %CRYPTO-4-RECVD_PKT_INV_SPI: decaps: rec'd IPSEC packet has invalid spi for destaddr=<redacted>, prot=50, spi=0x4CF4BE5D(1291107933), srcaddr=203.84.212.53, input interface=Vlan21 Dec 18 00:43:00.158 CST: %CRYPTO-4-RECVD_PKT_INV_SPI: decaps: rec'd IPSEC packet has invalid spi for destaddr=<redacted>, prot=50, spi=0x4CF4BE5D(1291107933), srcaddr=68.180.160.101, input interface=Vlan20 Dec 18 00:44:52.018 CST: %CRYPTO-4-RECVD_PKT_INV_SPI: decaps: rec'd IPSEC packet has invalid spi for destaddr=<redacted>, prot=50, spi=0x4CF4BE5D(1291107933), srcaddr=68.180.160.100, input interface=Vlan21
All the destination IP addresses are in one of two categories: - router interface - inactive IP (no ARP entry)
Vlans 20 and 21 are the Vlans facing our two edge/border routers.
If I do a PTR lookup of each source IP, they're all some kind of cryptographic server in Yahoo's network:
203.84.212.18|18.212.84.203.in-addr.arpa domain name pointer lo301.cry1.sg3.yahoo.com. 203.84.212.24|24.212.84.203.in-addr.arpa domain name pointer lo303.cry2.sg3.yahoo.com. 203.84.212.36|36.212.84.203.in-addr.arpa domain name pointer lo303.cry1.tw1.yahoo.com. 203.84.212.53|53.212.84.203.in-addr.arpa domain name pointer lo300.cry2.tp2.yahoo.com. 68.180.160.100|100.160.180.68.in-addr.arpa domain name pointer lo303.cry1.md2.yahoo.com. 68.180.160.101|101.160.180.68.in-addr.arpa domain name pointer lo300.cry2.md2.yahoo.com. 68.180.160.103|103.160.180.68.in-addr.arpa domain name pointer lo302.cry2.md2.yahoo.com. 68.180.160.104|104.160.180.68.in-addr.arpa domain name pointer lo303.cry2.md2.yahoo.com. 68.180.160.18|18.160.180.68.in-addr.arpa domain name pointer lo301.cry1.ne1.yahoo.com. 68.180.160.34|34.160.180.68.in-addr.arpa domain name pointer lo301.cry1.bf1.yahoo.com. 68.180.160.36|36.160.180.68.in-addr.arpa domain name pointer lo303.cry1.bf1.yahoo.com. 68.180.160.37|37.160.180.68.in-addr.arpa domain name pointer lo300.cry2.bf1.yahoo.com. 68.180.160.99|99.160.180.68.in-addr.arpa domain name pointer lo302.cry1.md2.yahoo.com.
Any idea what's going on here? It's as if our 7600 is inspecting this traffic (presumably because it's not transit, it's being processed by the CPU) and seeing something special about it. Even if the router is not behaving correctly, why is Yahoo sending that kind of traffic to those IPs?
Frank AS53347