"SA create failed" problem for IPSec VPN

Answered Question
Jun 11th, 2007

An ASA 5100 is used to provide VPN access for my company. The configuration was done by some pervious guy who has gone for quite some time, and the configuration used to be OK before this morning. This morning some user reported that their VPN would be dropped once got connected. I have checked the ASA and on ASDM, I can see every time when the user drops, there IPSec tunnel is still action. Furthermore I simulated the problem and got the error log as:

1 11:14:45.898 06/12/07 Sev=Warning/3 IKE/0xE3000065 Could not find an IKE SA for 10.2.1.8. KEY_REQ aborted.

2 11:14:45.898 06/12/07 Sev=Warning/2 IKE/0xE3000099 Failed to initiate P2 rekey: Error detected(Initiate:176)

3 11:14:45.898 06/12/07 Sev=Warning/2 IKE/0xE3000099 Unable to initiate QM (IKE_MAIN:458)

On the AS side I did "debug crypto isakmp" and "debug crypto ipsec", and I got the following errors:

iscoasa# IPSEC ERROR: Asynchronous operation timer expired, SPI: 0x114CA5B6, user: roeladmin, peer: 202.x.x.70, time: 2 seconds, ctm_ipsec_create_sa:856

IPSEC ERROR: Outbound hardware SA create command failed, SPI: 0x114CA5B6, error code: 0x17

IPSEC ERROR: Asynchronous operation timer expired, SPI: 0x61BE2022, user: roeladmin, peer: 202.x.x.70, time: 2 seconds, ctm_ipsec_create_sa:856

IPSEC ERROR: Failed to add a user auth entry, SPI: 0x61BE2022, user: roeladmin, peer: 202.172.62.70

IPSEC ERROR: Failed to create an inbound SA, SPI:0x61BE2022

IPSEC ERROR: Failed to complete the UPDATE command from IKE

Jun 12 14:25:13 [IKEv1]: Group = LANWORKS, Username = roeladmin, IP = 202.172.62.70, QM FSM error (P2 struct &0x4699058, mess id 0xf37ec6f4)!

Jun 12 14:25:13 [IKEv1]: Group = LANWORKS, Username = roeladmin, IP = 202.172.62.70, Removing peer from correlator table failed, no match!

IPSEC ERROR: Inbound hardware SA create command failed, SPI: 0x61BE2022, error code: 0x17

It shows that SA create failed. But I can't find the problem with the configuration. May someone help me on it? thanks

Attachment: 
I have this problem too.
0 votes
Correct Answer by guibarati about 9 years 5 months ago

Outbound hardware SA create command failed, SPI: 0x114CA5B6, error code: 0x17

This is a hardware problem, reboot the firewall and it will work, i've seen it 4 times in different ASAs

Please hate the post if help.

  • 1
  • 2
  • 3
  • 4
  • 5
Overall Rating: 4.5 (4 ratings)
Loading.
Correct Answer
guibarati Mon, 06/18/2007 - 09:22

Outbound hardware SA create command failed, SPI: 0x114CA5B6, error code: 0x17

This is a hardware problem, reboot the firewall and it will work, i've seen it 4 times in different ASAs

Please hate the post if help.

guibarati Mon, 01/07/2008 - 11:50

Yes, there is a explanation, it's a bug, I don't know the bug ID right now, but now I know you can issue the command " clear local-host" instead of rebooting the whole appliance.

Actions

This Discussion