cancel
Showing results for 
Search instead for 
Did you mean: 
cancel
472
Views
0
Helpful
3
Replies

Router reloads affecting VPN module

mayambanzumba
Level 1
Level 1

I am not sure if my VPN module is faulty, if it is causing the router to reload, I have enclosed the following logs.

*Mar 1 00:00:22 GMT: %LINEPROTO-5-UPDOWN: Line protocol on Interface Serial1/0, changed state to up

Mar 12 03:20:16 GMT: %CRYPTO-4-RECVD_PKT_INV_SPI: decaps: rec'd IPSEC packet has invalid spi for

destaddr=, prot=51, spi=0x1903C842(419678274), srcaddr=

Mar 12 03:20:18 GMT: %CRYPTO-4-IKMP_NO_SA: IKE message from has no SA and is not an initialization offer

Mar 12 03:21:00 GMT: %HW_VPN-1-LPRXERR: Virtual Private Network (VPN) Module1/15: Command Error IPSEC cmd=CRYPTO_ISA_SA_DELETE[0x30] Uproc cmd=DB Zero[50] status=Unknown[0x10F4]

Mar 12 03:22:18 GMT: %HW_VPN-1-LPRXERR: Virtual Private Network (VPN) Module1/15: Command Error IPSEC cmd=CRYPTO_ISA_SA_DELETE[0x30] Uproc cmd=DB Zero[50] status=Unknown[0x10F4]

Mar 12 03:23:50 GMT: %HW_VPN-1-LPRXERR: Virtual Private Network (VPN) Module1/15: Command Error IPSEC cmd=CRYPTO_ISA_SA_DELETE[0x30] Uproc cmd=DB Zero[50] status=Unknown[0x10F4]

3 Replies 3

Kamal Malhotra
Cisco Employee
Cisco Employee

Hi,

1. %HW_VPN-1-LPRXERR: [chars]: Command Error IPSEC cmd=[chars][[hex]] Uproc cmd=[chars][[dec]] status=[chars][[hex]]

An error has occurred during the execution of a key management command by the EAIM.

Recommended Action: The EAIM may require replacement. Make a note of the status value, and contact your Cisco technical support representative.

You can probably find some more information at :

http://www.cisco.com/en/US/products/sw/iosswrel/ps1835/prod_release_note09186a008015a8c6.html

HTH,

Please rate if it helps,

Regards,

Kamal

Richard Burts
Hall of Fame
Hall of Fame

Mayamba

I do not believe that we have enough information here to really understand your problem. If you can provide additional details we might be able to provide better answers. But I do not see anything in what you have posted that indicates that the VPN module is causing the router to reload.

What I do see is consistent with what I frequently see AFTER a router reload:

%LINEPROTO-5-UPDOWN: Line protocol on Interface Serial1/0, changed state to up

the interface just came up. Is this after the router reload?

%CRYPTO-4-RECVD_PKT_INV_SPI: decaps: rec'd IPSEC packet has invalid spi for

I frequently see this after a router reload. I believe that the explanation is that there had been an IPSec Security Association before the router rebooted. After the reboot, this router obviously has no SA, but the remote does have an existing SA and has sent a packet using that SA. The router rejects the packet because invalid SPI means that the SPI is related to the SA that no longer exists.

%HW_VPN-1-LPRXERR: Virtual Private Network (VPN) Module1/15

I have not seen this much, but it looks to me like it is trying to clean up something AFTER a reload rather than causing a reload. If Kamal has information that indicates that this may be a hardware problem, then perhaps the module needs to be replaced. But I am not seeing evidence that it causes the router to reload.

HTH

Rick

HTH

Rick

Hi Rick,

I agree with you but I decoded the error message in the Error Message Decoder and have pasted the output. If you have the link to the tool you can also check it.

http://www.cisco.com/cgi-bin/Support/Errordecoder/index.cgi?action=search&index=all&locale=en&query=%25HW_VPN-1-LPRXERR%3A+Virtual+Private+Network+%28VPN%29+Module1%2F15+&counter=0&paging=5&links=reference&sa=Submit

Regards,

Kamal

Getting Started

Find answers to your questions by entering keywords or phrases in the Search bar above. New here? Use these resources to familiarize yourself with the community: