Router reloads affecting VPN module

Unanswered Question
Mar 13th, 2007
User Badges:

I am not sure if my VPN module is faulty, if it is causing the router to reload, I have enclosed the following logs.


*Mar 1 00:00:22 GMT: %LINEPROTO-5-UPDOWN: Line protocol on Interface Serial1/0, changed state to up

Mar 12 03:20:16 GMT: %CRYPTO-4-RECVD_PKT_INV_SPI: decaps: rec'd IPSEC packet has invalid spi for

destaddr=, prot=51, spi=0x1903C842(419678274), srcaddr=

Mar 12 03:20:18 GMT: %CRYPTO-4-IKMP_NO_SA: IKE message from has no SA and is not an initialization offer

Mar 12 03:21:00 GMT: %HW_VPN-1-LPRXERR: Virtual Private Network (VPN) Module1/15: Command Error IPSEC cmd=CRYPTO_ISA_SA_DELETE[0x30] Uproc cmd=DB Zero[50] status=Unknown[0x10F4]


Mar 12 03:22:18 GMT: %HW_VPN-1-LPRXERR: Virtual Private Network (VPN) Module1/15: Command Error IPSEC cmd=CRYPTO_ISA_SA_DELETE[0x30] Uproc cmd=DB Zero[50] status=Unknown[0x10F4]


Mar 12 03:23:50 GMT: %HW_VPN-1-LPRXERR: Virtual Private Network (VPN) Module1/15: Command Error IPSEC cmd=CRYPTO_ISA_SA_DELETE[0x30] Uproc cmd=DB Zero[50] status=Unknown[0x10F4]



  • 1
  • 2
  • 3
  • 4
  • 5
Overall Rating: 0 (0 ratings)
Loading.
Kamal Malhotra Tue, 03/13/2007 - 07:02
User Badges:
  • Cisco Employee,

Hi,


1. %HW_VPN-1-LPRXERR: [chars]: Command Error IPSEC cmd=[chars] Uproc cmd=[chars] status=[chars]

An error has occurred during the execution of a key management command by the EAIM.


Recommended Action: The EAIM may require replacement. Make a note of the status value, and contact your Cisco technical support representative.


You can probably find some more information at :


http://www.cisco.com/en/US/products/sw/iosswrel/ps1835/prod_release_note09186a008015a8c6.html


HTH,


Please rate if it helps,


Regards,


Kamal

Richard Burts Tue, 03/13/2007 - 11:08
User Badges:
  • Super Silver, 17500 points or more
  • Hall of Fame,

    Founding Member

  • Cisco Designated VIP,

    2017 LAN, WAN

Mayamba


I do not believe that we have enough information here to really understand your problem. If you can provide additional details we might be able to provide better answers. But I do not see anything in what you have posted that indicates that the VPN module is causing the router to reload.


What I do see is consistent with what I frequently see AFTER a router reload:

%LINEPROTO-5-UPDOWN: Line protocol on Interface Serial1/0, changed state to up

the interface just came up. Is this after the router reload?

%CRYPTO-4-RECVD_PKT_INV_SPI: decaps: rec'd IPSEC packet has invalid spi for

I frequently see this after a router reload. I believe that the explanation is that there had been an IPSec Security Association before the router rebooted. After the reboot, this router obviously has no SA, but the remote does have an existing SA and has sent a packet using that SA. The router rejects the packet because invalid SPI means that the SPI is related to the SA that no longer exists.

%HW_VPN-1-LPRXERR: Virtual Private Network (VPN) Module1/15

I have not seen this much, but it looks to me like it is trying to clean up something AFTER a reload rather than causing a reload. If Kamal has information that indicates that this may be a hardware problem, then perhaps the module needs to be replaced. But I am not seeing evidence that it causes the router to reload.


HTH


Rick

Kamal Malhotra Tue, 03/13/2007 - 12:23
User Badges:
  • Cisco Employee,

Hi Rick,


I agree with you but I decoded the error message in the Error Message Decoder and have pasted the output. If you have the link to the tool you can also check it.


http://www.cisco.com/cgi-bin/Support/Errordecoder/index.cgi?action=search&index=all&locale=en&query=%25HW_VPN-1-LPRXERR%3A+Virtual+Private+Network+%28VPN%29+Module1%2F15+&counter=0&paging=5&links=reference&sa=Submit


Regards,


Kamal

Actions

This Discussion