Router reloads affecting VPN module

Unanswered Question
Mar 13th, 2007

I am not sure if my VPN module is faulty, if it is causing the router to reload, I have enclosed the following logs.

*Mar 1 00:00:22 GMT: %LINEPROTO-5-UPDOWN: Line protocol on Interface Serial1/0, changed state to up

Mar 12 03:20:16 GMT: %CRYPTO-4-RECVD_PKT_INV_SPI: decaps: rec'd IPSEC packet has invalid spi for

destaddr=, prot=51, spi=0x1903C842(419678274), srcaddr=

Mar 12 03:20:18 GMT: %CRYPTO-4-IKMP_NO_SA: IKE message from has no SA and is not an initialization offer

Mar 12 03:21:00 GMT: %HW_VPN-1-LPRXERR: Virtual Private Network (VPN) Module1/15: Command Error IPSEC cmd=CRYPTO_ISA_SA_DELETE[0x30] Uproc cmd=DB Zero[50] status=Unknown[0x10F4]

Mar 12 03:22:18 GMT: %HW_VPN-1-LPRXERR: Virtual Private Network (VPN) Module1/15: Command Error IPSEC cmd=CRYPTO_ISA_SA_DELETE[0x30] Uproc cmd=DB Zero[50] status=Unknown[0x10F4]

Mar 12 03:23:50 GMT: %HW_VPN-1-LPRXERR: Virtual Private Network (VPN) Module1/15: Command Error IPSEC cmd=CRYPTO_ISA_SA_DELETE[0x30] Uproc cmd=DB Zero[50] status=Unknown[0x10F4]

I have this problem too.
0 votes
  • 1
  • 2
  • 3
  • 4
  • 5
Overall Rating: 0 (0 ratings)
Loading.
Kamal Malhotra Tue, 03/13/2007 - 07:02

Hi,

1. %HW_VPN-1-LPRXERR: [chars]: Command Error IPSEC cmd=[chars] Uproc cmd=[chars] status=[chars]

An error has occurred during the execution of a key management command by the EAIM.

Recommended Action: The EAIM may require replacement. Make a note of the status value, and contact your Cisco technical support representative.

You can probably find some more information at :

http://www.cisco.com/en/US/products/sw/iosswrel/ps1835/prod_release_note09186a008015a8c6.html

HTH,

Please rate if it helps,

Regards,

Kamal

Richard Burts Tue, 03/13/2007 - 11:08

Mayamba

I do not believe that we have enough information here to really understand your problem. If you can provide additional details we might be able to provide better answers. But I do not see anything in what you have posted that indicates that the VPN module is causing the router to reload.

What I do see is consistent with what I frequently see AFTER a router reload:

%LINEPROTO-5-UPDOWN: Line protocol on Interface Serial1/0, changed state to up

the interface just came up. Is this after the router reload?

%CRYPTO-4-RECVD_PKT_INV_SPI: decaps: rec'd IPSEC packet has invalid spi for

I frequently see this after a router reload. I believe that the explanation is that there had been an IPSec Security Association before the router rebooted. After the reboot, this router obviously has no SA, but the remote does have an existing SA and has sent a packet using that SA. The router rejects the packet because invalid SPI means that the SPI is related to the SA that no longer exists.

%HW_VPN-1-LPRXERR: Virtual Private Network (VPN) Module1/15

I have not seen this much, but it looks to me like it is trying to clean up something AFTER a reload rather than causing a reload. If Kamal has information that indicates that this may be a hardware problem, then perhaps the module needs to be replaced. But I am not seeing evidence that it causes the router to reload.

HTH

Rick

Kamal Malhotra Tue, 03/13/2007 - 12:23

Hi Rick,

I agree with you but I decoded the error message in the Error Message Decoder and have pasted the output. If you have the link to the tool you can also check it.

http://www.cisco.com/cgi-bin/Support/Errordecoder/index.cgi?action=search&index=all&locale=en&query=%25HW_VPN-1-LPRXERR%3A+Virtual+Private+Network+%28VPN%29+Module1%2F15+&counter=0&paging=5&links=reference&sa=Submit

Regards,

Kamal

Actions

This Discussion