Cisco Support Community
cancel
Showing results for 
Search instead for 
Did you mean: 
Community Member

GDOI VPN - IPSEC SA Failing

This is a strange one, and unfortunately I cannot find any literature in either the TAC Case collections or support documentation.

I am running a GDOI VPN. It has been humming along nicely, until the following started appearing in the group member logs (group members are 1801's):

%GDOI-3-GM_NO_IPSEC_FLOWS : IPSec FLOW limit possibly reached

Once this started happening, the encpryption (or rather the ability to decrpyt) between group members simply stopped with the next change of keys.

All group memebers are still active participants in the GDOI VPN, they just can't encypt or decrpyt targeted traffic sucessfully (so they are registered with the keyserver, and have the current service policy etc).

The only way to get the group memeber to properly participate in the mesh again is to reload it, which isn't the ideal fix obviously.

Anyone with ideas ?

I am guessing it revolves around this:

%GDOI-3-GM_NO_IPSEC_FLOWS : IPSec FLOW limit possibly reached

1 REPLY
Community Member

Re: GDOI VPN - IPSEC SA Failing

A small update of sorts.

Turning OFF the onboard crypto engine on an affected 1801 has resolved the issue.

If I turn it back on again it seems to continue working.

Resetting it is obviously flushing some kind of buffer.

It doesn't answer the question though of what is causing it and why, and more importantly how to prevent it in future......

488
Views
0
Helpful
1
Replies
CreatePlease to create content