Re: Cisco bug CSCtc78745

david.tran · ‎07-09-2012

Does anyone know what Cisco is talking about here:

IPSec tunnel fails to establish on ASR due to invalid SPI (SPI leak)

Symptoms:
IPsec SAs fail to form with an ASR and we see errors in the log similar to

%ACE-3-TRANSERR: ASR1000-ESP(14): IKEA trans 0xXXX; opcode 0x60; param 0xXXXX;
error 0xA; retry cnt 0

To confirm if you are hitting this bug run the command show crypto ace
spi and look for
"Normal SPI allocated .................61440"

Well, the command "show crypto ace spi" does not exist on my ASR router and I am running the "defective" version that Cisco stated in the bug ID.

Don't these guys QA their work before putting it into the database?

ASR1002#sh crypto ?

call Show crypto call admission info

debug-condition Debug Condition filters

dynamic-map Crypto map templates

eli Encryption Layer Interface

engine Show crypto engine info

gdoi Show crypto gdoi

ha Crypto High Availability information

identity Show crypto identity list

ipsec Show IPSEC policy

isakmp Show ISAKMP

key Show long term public keys

map Crypto maps

mib Show Crypto-related MIB Parameters

optional Optional Encryption Status

pki Show PKI

route Show crypto VPN routes

ruleset Show crypto rules on outgoing packets

session Show crypto sessions (tunnels)

sockets Secure Socket Information

tech-support Displays relevant crypto information

ASR1002#sh crypto

david.tran · ‎07-10-2012

Upon further review, this is a "hidden" command by Cisco. You have to type in the whole command:

show crypto ace spi

Javier Portuguez · ‎07-10-2012

Hi David,

I am glad to see that you already found the problem, in case you are hitting the bug, you could upgrade to:

Fixed-In

15.0(1)S

15.1(0.2)S

15.0(0.13)S0.7

15.1(0.8)S

15.1(2.3.2)PIB15

15.1(2.19)PI15

15.1(2.19.5)PIA15

15.1(0.0.15)PIL15

15.1(2.19.4)PIC15

15.1(3.6)T

15.1(1)SG5.5

15.1(1)SG5.6

15.1(1)MP1.27

15.1(1)SG5.25.1

15.1(1)WS0.32

15.1(1)SG5.78.11

15.1(1)SG5.98

15.1(1)SG5.103

15.1(1)SG5.124

15.1(1)SG5.163

15.1(1)SG5.169

15.1(1)SG5.170

15.0(5.21)SID

15.1(1)SD5.1

15.0(5.2)DPB35

As you may already know, all this information can be found in this link:

http://tools.cisco.com/Support/BugToolKit/search/getBugDetails.do?method=fetchBugDetails&bugId=CSCtc78745

Please mark this post as resolved if you do not have any further questions.

Thanks

david.tran · ‎07-10-2012

No wonder you work for Cisco. The solution is typically "reload" and/or upgrade

Cisco is becoming more and more like Microsoft. In other words, "reload" will fix the problem. Otherwise, upgrade

Javier Portuguez · ‎07-10-2012

David,

In this case I just answered based on your description.

We are committed to performing advance troubleshooting in order to answer / fix any problem you may experience.

I apologize if in this case the solution does not involve any troubleshooting.

Please keep posting your questions, we will be glad to help you out.

david.tran · ‎07-10-2012

I have a follow up question. According to the toolkit release note, it is fixed in the following code: