Cisco Support Community
cancel
Showing results for 
Search instead for 
Did you mean: 
Announcements

Attention: The Community will be in read-only mode on 12/14/2017 from 12:00 am pacific to 11:30 am.

During this time you will only be able to see content. Other interactions such as posting, replying to questions, or marking content as helpful will be disabled for few hours.

We apologize for the inconvenience while we perform important updates to the Community.

Bronze

Cisco bug CSCtc78745

Does anyone know what Cisco is talking about here:

IPSec tunnel fails to establish on ASR due to invalid SPI (SPI leak)
Symptoms:
IPsec SAs fail to form with an ASR and we see errors in the log similar to

%ACE-3-TRANSERR: ASR1000-ESP(14): IKEA trans 0xXXX; opcode 0x60; param 0xXXXX;
error 0xA; retry cnt 0

To confirm if you are hitting this bug run the command show crypto ace
spi
and look for
"Normal SPI allocated .................61440"

Well, the command "show crypto ace spi" does not exist on my ASR router and I am running the "defective" version that Cisco stated in the bug ID.

Don't these guys QA their work before putting it into the database?

ASR1002#sh crypto ?

  call             Show crypto call admission info

  debug-condition  Debug Condition filters

  dynamic-map      Crypto map templates

  eli              Encryption Layer Interface

  engine           Show crypto engine info

  gdoi             Show crypto gdoi

  ha               Crypto High Availability information

  identity         Show crypto identity list

  ipsec            Show IPSEC policy

  isakmp           Show ISAKMP

  key              Show long term public keys

  map              Crypto maps

  mib              Show Crypto-related MIB Parameters

  optional         Optional Encryption Status

  pki              Show PKI

  route            Show crypto VPN routes

  ruleset          Show crypto rules on outgoing packets

  session          Show crypto sessions (tunnels)

  sockets          Secure Socket Information

  tech-support     Displays relevant crypto information

ASR1002#sh crypto

Everyone's tags (1)
5 REPLIES
Bronze

Cisco bug CSCtc78745

Upon further review, this is a "hidden" command by Cisco.  You have to type in the whole command:

show crypto ace spi

Re: Cisco bug CSCtc78745

Hi David,

I am glad to see that you already found the problem, in case you are hitting the bug, you could upgrade to:

Fixed-In

15.0(1)S

15.1(0.2)S

15.0(0.13)S0.7

15.1(0.8)S

15.1(2.3.2)PIB15

15.1(2.19)PI15

15.1(2.19.5)PIA15

15.1(0.0.15)PIL15

15.1(2.19.4)PIC15

15.1(3.6)T

15.1(1)SG5.5

15.1(1)SG5.6

15.1(1)MP1.27

15.1(1)SG5.25.1

15.1(1)WS0.32

15.1(1)SG5.78.11

15.1(1)SG5.98

15.1(1)SG5.103

15.1(1)SG5.124

15.1(1)SG5.163

15.1(1)SG5.169

15.1(1)SG5.170

15.0(5.21)SID

15.1(1)SD5.1

15.0(5.2)DPB35

As you may already know, all this information can be found in this link:

http://tools.cisco.com/Support/BugToolKit/search/getBugDetails.do?method=fetchBugDetails&bugId=CSCtc78745

Please mark this post as resolved if you do not have any further questions.

Thanks

Bronze

Re: Cisco bug CSCtc78745

No wonder you work for Cisco.  The solution is typically "reload" and/or upgrade

Cisco is becoming more and more like Microsoft.  In other words, "reload" will fix the problem.  Otherwise, upgrade

Re: Cisco bug CSCtc78745

David,

In this case I just answered based on your description.

We are committed to performing advance troubleshooting in order to answer / fix any problem you may experience.

I apologize if in this case the solution does not involve any troubleshooting.

Please keep posting your questions, we will be glad to help you out.

Bronze

Re: Cisco bug CSCtc78745

I have a follow up question.  According to the toolkit release note, it is fixed in the following code:

15.0(1)S

15.1(0.2)S

15.0(0.13)S0.7

15.1(0.8)S

15.1(2.3.2)PIB15

15.1(2.19)PI15

15.1(2.19.5)PIA15

15.1(0.0.15)PIL15

15.1(2.19.4)PIC15

15.1(3.6)T

15.1(1)SG5.5

15.1(1)SG5.6

15.1(1)MP1.27

15.1(1)SG5.25.1

15.1(1)WS0.32

15.1(1)SG5.78.11

15.1(1)SG5.98

15.1(1)SG5.103

15.1(1)SG5.124

15.1(1)SG5.163

15.1(1)SG5.169

15.1(1)SG5.170

15.0(5.21)SID

15.1(1)SD5.1

15.0(5.2)DPB35

Does it mean that if I am running 15.1(3)S2/3.4.2S, this bug is still there because only 15.1(3.6)T is listed as fixed?

is that the correct assumption?

1547
Views
0
Helpful
5
Replies
CreatePlease to create content