Buy or Renew
Buy or Renew
Duo Security forums now LIVE! Get answers to all your Duo Security questions. Learn more
cancel
Turn on suggestions
Auto-suggest helps you quickly narrow down your search results by suggesting possible matches as you type.
Showing results for 
Search instead for 
Did you mean: 
cancel
Start a conversation
655
Views
0
Helpful
1
Replies

GDOI VPN - IPSEC SA Failing

mbajelis
Level 1
Level 1

‎11-18-2007 06:07 PM - edited ‎02-21-2020 03:23 PM

This is a strange one, and unfortunately I cannot find any literature in either the TAC Case collections or support documentation.

I am running a GDOI VPN. It has been humming along nicely, until the following started appearing in the group member logs (group members are 1801's):

%GDOI-3-GM_NO_IPSEC_FLOWS : IPSec FLOW limit possibly reached

Once this started happening, the encpryption (or rather the ability to decrpyt) between group members simply stopped with the next change of keys.

All group memebers are still active participants in the GDOI VPN, they just can't encypt or decrpyt targeted traffic sucessfully (so they are registered with the keyserver, and have the current service policy etc).

The only way to get the group memeber to properly participate in the mesh again is to reload it, which isn't the ideal fix obviously.

Anyone with ideas ?

I am guessing it revolves around this:

%GDOI-3-GM_NO_IPSEC_FLOWS : IPSec FLOW limit possibly reached

1 person had this problem
Labels:
0 Helpful
1 Reply 1

mbajelis
Level 1
Level 1

‎11-18-2007 10:05 PM

A small update of sorts.

Turning OFF the onboard crypto engine on an affected 1801 has resolved the issue.

If I turn it back on again it seems to continue working.

Resetting it is obviously flushing some kind of buffer.

It doesn't answer the question though of what is causing it and why, and more importantly how to prevent it in future......

0 Helpful
Customers Also Viewed These Support Documents