Buy or Renew
Buy or Renew
Duo Security forums now LIVE! Get answers to all your Duo Security questions. Learn more
cancel
Turn on suggestions
Auto-suggest helps you quickly narrow down your search results by suggesting possible matches as you type.
Showing results for 
Search instead for 
Did you mean: 
cancel
Start a conversation
6295
Views
13
Helpful
3
Replies

"SA create failed" problem for IPSec VPN

Go to solution
xianglingzj
Level 1
Level 1

‎06-11-2007 11:51 PM - edited ‎02-21-2020 03:06 PM

An ASA 5100 is used to provide VPN access for my company. The configuration was done by some pervious guy who has gone for quite some time, and the configuration used to be OK before this morning. This morning some user reported that their VPN would be dropped once got connected. I have checked the ASA and on ASDM, I can see every time when the user drops, there IPSec tunnel is still action. Furthermore I simulated the problem and got the error log as:

1 11:14:45.898 06/12/07 Sev=Warning/3 IKE/0xE3000065 Could not find an IKE SA for 10.2.1.8. KEY_REQ aborted.

2 11:14:45.898 06/12/07 Sev=Warning/2 IKE/0xE3000099 Failed to initiate P2 rekey: Error detected(Initiate:176)

3 11:14:45.898 06/12/07 Sev=Warning/2 IKE/0xE3000099 Unable to initiate QM (IKE_MAIN:458)

On the AS side I did "debug crypto isakmp" and "debug crypto ipsec", and I got the following errors:

iscoasa# IPSEC ERROR: Asynchronous operation timer expired, SPI: 0x114CA5B6, user: roeladmin, peer: 202.x.x.70, time: 2 seconds, ctm_ipsec_create_sa:856

IPSEC ERROR: Outbound hardware SA create command failed, SPI: 0x114CA5B6, error code: 0x17

IPSEC ERROR: Asynchronous operation timer expired, SPI: 0x61BE2022, user: roeladmin, peer: 202.x.x.70, time: 2 seconds, ctm_ipsec_create_sa:856

IPSEC ERROR: Failed to add a user auth entry, SPI: 0x61BE2022, user: roeladmin, peer: 202.172.62.70

IPSEC ERROR: Failed to create an inbound SA, SPI:0x61BE2022

IPSEC ERROR: Failed to complete the UPDATE command from IKE

Jun 12 14:25:13 [IKEv1]: Group = LANWORKS, Username = roeladmin, IP = 202.172.62.70, QM FSM error (P2 struct &0x4699058, mess id 0xf37ec6f4)!

Jun 12 14:25:13 [IKEv1]: Group = LANWORKS, Username = roeladmin, IP = 202.172.62.70, Removing peer from correlator table failed, no match!

IPSEC ERROR: Inbound hardware SA create command failed, SPI: 0x61BE2022, error code: 0x17

It shows that SA create failed. But I can't find the problem with the configuration. May someone help me on it? thanks

Labels:
Preview file
13 KB
0 Helpful
1 Accepted Solution

Accepted Solutions

Go to solution
guibarati
Level 4
Level 4

‎06-18-2007 09:22 AM

Outbound hardware SA create command failed, SPI: 0x114CA5B6, error code: 0x17

This is a hardware problem, reboot the firewall and it will work, i've seen it 4 times in different ASAs

Please hate the post if help.

View solution in original post

3 Replies 3

Go to solution
guibarati
Level 4
Level 4

‎06-18-2007 09:22 AM

Outbound hardware SA create command failed, SPI: 0x114CA5B6, error code: 0x17

This is a hardware problem, reboot the firewall and it will work, i've seen it 4 times in different ASAs

Please hate the post if help.

Go to solution
klein425
Level 1
Level 1
In response to guibarati

‎01-07-2008 06:14 AM

I've had the same problem and I had to reboot. Is there any explanation why this is happening?

0 Helpful

Go to solution
guibarati
Level 4
Level 4
In response to klein425

‎01-07-2008 11:50 AM

Yes, there is a explanation, it's a bug, I don't know the bug ID right now, but now I know you can issue the command " clear local-host" instead of rebooting the whole appliance.

Getting Started

Find answers to your questions by entering keywords or phrases in the Search bar above. New here? Use these resources to familiarize yourself with the community:

Customers Also Viewed These Support Documents