Cisco Support Community
cancel
Showing results for 
Search instead for 
Did you mean: 
Announcements
Step-by-Step Configuration and Troubleshooting Best Practices for the NGFW, NGIPS and AMP Technologies A Visual Guide to the Cisco Firepower Threat Defense (FTD)
New Member

Router reloads affecting VPN module

I am not sure if my VPN module is faulty, if it is causing the router to reload, I have enclosed the following logs.

*Mar 1 00:00:22 GMT: %LINEPROTO-5-UPDOWN: Line protocol on Interface Serial1/0, changed state to up

Mar 12 03:20:16 GMT: %CRYPTO-4-RECVD_PKT_INV_SPI: decaps: rec'd IPSEC packet has invalid spi for

destaddr=, prot=51, spi=0x1903C842(419678274), srcaddr=

Mar 12 03:20:18 GMT: %CRYPTO-4-IKMP_NO_SA: IKE message from has no SA and is not an initialization offer

Mar 12 03:21:00 GMT: %HW_VPN-1-LPRXERR: Virtual Private Network (VPN) Module1/15: Command Error IPSEC cmd=CRYPTO_ISA_SA_DELETE[0x30] Uproc cmd=DB Zero[50] status=Unknown[0x10F4]

Mar 12 03:22:18 GMT: %HW_VPN-1-LPRXERR: Virtual Private Network (VPN) Module1/15: Command Error IPSEC cmd=CRYPTO_ISA_SA_DELETE[0x30] Uproc cmd=DB Zero[50] status=Unknown[0x10F4]

Mar 12 03:23:50 GMT: %HW_VPN-1-LPRXERR: Virtual Private Network (VPN) Module1/15: Command Error IPSEC cmd=CRYPTO_ISA_SA_DELETE[0x30] Uproc cmd=DB Zero[50] status=Unknown[0x10F4]

3 REPLIES
Cisco Employee

Re: Router reloads affecting VPN module

Hi,

1. %HW_VPN-1-LPRXERR: [chars]: Command Error IPSEC cmd=[chars][[hex]] Uproc cmd=[chars][[dec]] status=[chars][[hex]]

An error has occurred during the execution of a key management command by the EAIM.

Recommended Action: The EAIM may require replacement. Make a note of the status value, and contact your Cisco technical support representative.

You can probably find some more information at :

http://www.cisco.com/en/US/products/sw/iosswrel/ps1835/prod_release_note09186a008015a8c6.html

HTH,

Please rate if it helps,

Regards,

Kamal

Hall of Fame Super Gold

Re: Router reloads affecting VPN module

Mayamba

I do not believe that we have enough information here to really understand your problem. If you can provide additional details we might be able to provide better answers. But I do not see anything in what you have posted that indicates that the VPN module is causing the router to reload.

What I do see is consistent with what I frequently see AFTER a router reload:

%LINEPROTO-5-UPDOWN: Line protocol on Interface Serial1/0, changed state to up

the interface just came up. Is this after the router reload?

%CRYPTO-4-RECVD_PKT_INV_SPI: decaps: rec'd IPSEC packet has invalid spi for

I frequently see this after a router reload. I believe that the explanation is that there had been an IPSec Security Association before the router rebooted. After the reboot, this router obviously has no SA, but the remote does have an existing SA and has sent a packet using that SA. The router rejects the packet because invalid SPI means that the SPI is related to the SA that no longer exists.

%HW_VPN-1-LPRXERR: Virtual Private Network (VPN) Module1/15

I have not seen this much, but it looks to me like it is trying to clean up something AFTER a reload rather than causing a reload. If Kamal has information that indicates that this may be a hardware problem, then perhaps the module needs to be replaced. But I am not seeing evidence that it causes the router to reload.

HTH

Rick

Cisco Employee

Re: Router reloads affecting VPN module

Hi Rick,

I agree with you but I decoded the error message in the Error Message Decoder and have pasted the output. If you have the link to the tool you can also check it.

http://www.cisco.com/cgi-bin/Support/Errordecoder/index.cgi?action=search&index=all&locale=en&query=%25HW_VPN-1-LPRXERR%3A+Virtual+Private+Network+%28VPN%29+Module1%2F15+&counter=0&paging=5&links=reference&sa=Submit

Regards,

Kamal

280
Views
0
Helpful
3
Replies
CreatePlease to create content