Knowledge

ERROR_IPSEC_BAD_SPI - 13910 (0x3656)

The SPI in the packet does not match a valid IPsec SA.

Updated: Feb 21, 2026

Technical Background

The ERROR_IPSEC_BAD_SPI error indicates a failure in the Internet Protocol Security (IPsec) protocol stack, specifically related to the Security Parameter Index (SPI). The SPI is a unique identifier used by IPsec to match security associations (SAs) between peers. This error suggests that an incoming packet was received with an SPI value that does not correspond to any valid SA established in the system.

Error Details

  • Error Name: ERROR_IPSEC_BAD_SPI
  • Numeric Code: 13910
  • Hex Code: 0x3656
  • Short Description: The SPI in the packet does not match a valid IPsec SA.

Common Causes

The error ERROR_IPSEC_BAD_SPI is typically caused by one of the following scenarios:

  • An incoming packet contains an SPI value that has not been configured or established on the system.
  • There is a misconfiguration in the IPsec policy, leading to incorrect SPI values being used.
  • The SA for the given SPI has expired or been deleted.

Real-World Context

This error can occur when attempting to establish an IPsec connection between two systems. It indicates that the system received a packet with an SPI value that does not correspond to any existing SA, which is necessary for the packet to be processed and decrypted correctly.

Is This Error Critical?

The severity of this error depends on the context in which it occurs. If the error consistently blocks legitimate traffic, it may indicate a misconfiguration or a security issue. However, if it only appears occasionally, it might not be critical and could be due to temporary network conditions or transient issues.

How to Diagnose

To diagnose this error, follow these steps:

  1. Review IPsec Configuration: Ensure that the correct policies are in place and that the SPI values match those expected by the system.
  2. Check SA Status: Verify that the SA for the given SPI is active and not expired or deleted.
  3. Validate Packet Content: Confirm that the packet contains valid data and that it matches the expected format and content.

How to Resolve

To resolve this error, consider the following actions:

  • Correct any misconfigurations in the IPsec policy.
  • Ensure that the SA for the given SPI is properly established and not expired.
  • Verify the integrity of the packet and ensure it matches the expected format and content.

Developer Notes

Developers should be aware that this error can impact the performance and reliability of IPsec connections. It is essential to thoroughly test and validate configurations before deploying them in a production environment.

Related Errors

  • ERROR_IPSEC_SA_RENDEZVOUS_FAILED (13908): Indicates a failure in establishing an SA.
  • ERROR_IPSEC_KEY_EXCHANGE_FAILED (13912): Indicates a failure during the key exchange process.

FAQ

Q: What does the ERROR_IPSEC_BAD_SPI error mean?

A: The SPI in the packet does not match a valid IPsec SA, indicating that an incoming packet was received with an incorrect or unconfigured SPI value.

Q: How can I prevent this error from occurring?

A: Ensure proper configuration of IPsec policies and SAs. Regularly check for expired or deleted SAs and validate the integrity of packets to ensure they match expected values.

Summary

The ERROR_IPSEC_BAD_SPI error is a specific issue related to IPsec protocol mismatches, indicating that an incoming packet's SPI value does not correspond to any valid SA. This can be caused by misconfigurations or temporary network conditions and should be diagnosed and resolved by reviewing IPsec policies, verifying SAs, and ensuring the integrity of packets.