06-11-2007 11:51 PM - edited 02-21-2020 03:06 PM
An ASA 5100 is used to provide VPN access for my company. The configuration was done by some pervious guy who has gone for quite some time, and the configuration used to be OK before this morning. This morning some user reported that their VPN would be dropped once got connected. I have checked the ASA and on ASDM, I can see every time when the user drops, there IPSec tunnel is still action. Furthermore I simulated the problem and got the error log as:
1 11:14:45.898 06/12/07 Sev=Warning/3 IKE/0xE3000065 Could not find an IKE SA for 10.2.1.8. KEY_REQ aborted.
2 11:14:45.898 06/12/07 Sev=Warning/2 IKE/0xE3000099 Failed to initiate P2 rekey: Error detected(Initiate:176)
3 11:14:45.898 06/12/07 Sev=Warning/2 IKE/0xE3000099 Unable to initiate QM (IKE_MAIN:458)
On the AS side I did "debug crypto isakmp" and "debug crypto ipsec", and I got the following errors:
iscoasa# IPSEC ERROR: Asynchronous operation timer expired, SPI: 0x114CA5B6, user: roeladmin, peer: 202.x.x.70, time: 2 seconds, ctm_ipsec_create_sa:856
IPSEC ERROR: Outbound hardware SA create command failed, SPI: 0x114CA5B6, error code: 0x17
IPSEC ERROR: Asynchronous operation timer expired, SPI: 0x61BE2022, user: roeladmin, peer: 202.x.x.70, time: 2 seconds, ctm_ipsec_create_sa:856
IPSEC ERROR: Failed to add a user auth entry, SPI: 0x61BE2022, user: roeladmin, peer: 202.172.62.70
IPSEC ERROR: Failed to create an inbound SA, SPI:0x61BE2022
IPSEC ERROR: Failed to complete the UPDATE command from IKE
Jun 12 14:25:13 [IKEv1]: Group = LANWORKS, Username = roeladmin, IP = 202.172.62.70, QM FSM error (P2 struct &0x4699058, mess id 0xf37ec6f4)!
Jun 12 14:25:13 [IKEv1]: Group = LANWORKS, Username = roeladmin, IP = 202.172.62.70, Removing peer from correlator table failed, no match!
IPSEC ERROR: Inbound hardware SA create command failed, SPI: 0x61BE2022, error code: 0x17
It shows that SA create failed. But I can't find the problem with the configuration. May someone help me on it? thanks
Solved! Go to Solution.
06-18-2007 09:22 AM
Outbound hardware SA create command failed, SPI: 0x114CA5B6, error code: 0x17
This is a hardware problem, reboot the firewall and it will work, i've seen it 4 times in different ASAs
Please hate the post if help.
06-18-2007 09:22 AM
Outbound hardware SA create command failed, SPI: 0x114CA5B6, error code: 0x17
This is a hardware problem, reboot the firewall and it will work, i've seen it 4 times in different ASAs
Please hate the post if help.
01-07-2008 06:14 AM
I've had the same problem and I had to reboot. Is there any explanation why this is happening?
01-07-2008 11:50 AM
Yes, there is a explanation, it's a bug, I don't know the bug ID right now, but now I know you can issue the command " clear local-host" instead of rebooting the whole appliance.
Find answers to your questions by entering keywords or phrases in the Search bar above. New here? Use these resources to familiarize yourself with the community: