Symptom
Few DMVPN sessions get stuck on branch site after flap on hub branch router.
Spoke#show crypto session interface tunnel201
Crypto session current status
Interface: Tunnel201
Session status: DOWN
Peer: 203.0.113.82 port 500
IPSEC FLOW: permit 47 host 203.0.113.48 host 203.0.113.82
Active SAs: 0, origin: crypto map
Interface: Tunnel201, IPv4 NHRP Details
Type:Spoke, NHRP Peers:4,
# Ent Peer NBMA Addr Peer Tunnel Add State UpDn Tm Attrb
----- --------------- --------------- ----- -------- -----
1 203.0.113.82 198.51.100.100 NHRP 2d18h S
Conditions
scale setup with hundreds spoke sites
Workaround
n/a
upgrade to fixed release
Further Problem Description
syslog:
Jun 4 09:37:53.752 CST: %CRYPTO-4-RECVD_PKT_INV_SPI: decaps: rec'd IPSEC packet has invalid spi for destaddr=203.0.113.82, prot=50, spi=0xBD84D835(3179599925), srcaddr=203.0.113.48, input interface=Tunnel200
Jun 4 09:39:12.602 CST: %CRYPTO-4-RECVD_PKT_INV_SPI: decaps: rec'd IPSEC packet has invalid spi for destaddr=203.0.113.82, prot=50, spi=0xBD84D835(3179599925), srcaddr=203.0.113.48, input interface=Tunnel200
Jun 4 09:39:47.126 CST: %OSPF-4-DUP_RTRID_AREA: Detected router with duplicate router ID 10.8.68.101 in area 0
Jun 4 09:40:22.330 CST: %CRYPTO-4-RECVD_PKT_INV_SPI: decaps: rec'd IPSEC packet has invalid spi for destaddr=203.0.113.82, prot=50, spi=0xBD84D835(3179599925), srcaddr=203.0.113.48, input interface=Tunnel200
Jun 4 09:40:29.731 CST: %CLEAR-5-COUNTERS: Clear counter on all interfaces by cisco on vty1 (10.74.44.163)