Cisco Support Community
Showing results for 
Search instead for 
Did you mean: 

Welcome to Cisco Support Community. We would love to have your feedback.

For an introduction to the new site, click here. And see here for current known issues.

New Member

crypto ipsec gre tunels droped


From time to time lots of tunnels drop down due to:

Feb 1 15:10:05 EET: CRYPTO_ENGINE: crypto_pak_coalesce: could not get buffer for new pak. requested size 24

Feb 1 15:10:05 EET: CRYPTO_ENGINE: crypto_pak_coalesce: could not get buffer for new pak. requested size 90

Can somebody help me ?

#sho crypto eli

Hardware Encryption : ACTIVE

Number of hardware crypto engines = 1

CryptoEngine VAM2+:1 details: state = Active

Capability : IPPCP, DES, 3DES, AES, RSA, IPv6

IKE-Session : 423 active, 5120 max, 0 failed

DH : 227 active, 5120 max, 0 failed

IPSec-Session : 746 active, 10230 max, 0 failed


Cisco 7206VXR (NPE-G1) processor (revision B) with 491520K/32768K bytes of memory.

New Member

Re: crypto ipsec gre tunels droped

To configure Generic Routing Encapsulation (GRE) over an IPSec tunnel between two routers, perform these steps:

Create a tunnel interface (the IP address of tunnel interface on both routers must be in the same subnet), and configure a tunnel source and tunnel destination under tunnel interface configuration, as shown:

interface Tunnel0

ip address

tunnel source

tunnel destination

Configure isakmp policies, as shown:

crypto isakmp policy 1

authentication pre-share

Configure pre share keys, as shown:

crypto isakmp key cisco123 address (Remote outside interface IP with 32 bit subnet mask)

Configure transform set, as shown:

crypto ipsec transform-set strong esp-3des esp-md5-hmac

Creat crypto ACI that permits GRE traffic from the outside interface of the local router to the outside interface of the remote router, as shown:

access-list 120 permit gre host (local outside interface ip) host (Remote outside interface IP)

Configure crypto map and bind transform set and crypto Access Control List (ACL) to crypto map. Define peer IP address under crypto map, as shown:

crypto map vpn 10 ipsec-isakmp

set peer

set transform-set strong

match address 120

Bind crypto map to the physical (outside) interface if you are running Cisco IOS? Software Release 12.2.15 or later. If not, then the crypto map must be applied to the tunnel interface as well as the physical interace, as shown:

interface Ethernet0/0

ip address


crypto map vpn

Configure Network Address Traslation (NAT) bypass if needed, as shown:

access-list 175 deny ip (local private network) (subnet mask) (remote private network) (subnet mask)

access-list 175 permit ip (local private network) (subnet mask) any

route-map nonat permit 10

match ip address 175


ip nat inside source route-map nonat interface (outside interface name) overload