Cisco Support Community
cancel
Showing results for 
Search instead for 
Did you mean: 
Announcements
You may experience some slow load times, errors, and slight inconsistencies. We ask for your patience as we finalize the launch. Thank you.

Welcome to Cisco Support Community. We would love to have your feedback.

For an introduction to the new site, click here. If you'd prefer to explore, try our test area to get started. And see here for current known issues.

New Member

ISAKMP doesn't start after reload

Hi Everyone:

We have a  Cisco 1841 Router acting as a group member in a GETVPN network. when this router reloads, ISAKMP Process always stays OFF (%CRYPTO-6-ISAKMP_ON_OFF: ISAKMP is OFF) and only start this process until we forced it through a clear crypto gdoi command or manually disabling/enabling crypto map on the interface, otherwise Phase 1 never start and the GM never register to KS. Other group members in the network does not have this problem and is the same ISAKMP policy and GDOI configuration.

All routers in the nerwork have the same IOS (C1841-ADVIPSERVICESK9-M), Version 12.4(15)T8, RELEASE SOFTWARE (fc3)) but this problem only is present on one router.

a debug crypto isakmp was issued on the odd router but it didn's show any information because ISAKMP is stuck. after we issued clear crypto gdoi command, ISAKMP begins negotiation and authentication and the SA is finally established.

this is the router log after issued a reload command:

*Jan 27 10:51:44.695: %SYS-5-RESTART: System restarted --
Cisco IOS Software, 1841 Software (C1841-ADVIPSERVICESK9-M), Version 12.4(15)T8, RELEASE SOFTWARE (fc3)
Technical Support: http://www.cisco.com/techsupport
Copyright (c) 1986-2008 by Cisco Systems, Inc.
Compiled Mon 01-Dec-08 13:52 by prod_rel_team
*Jan 27 10:51:44.699: %SNMP-5-COLDSTART: SNMP agent on host XXXXXXXX is undergoing a cold start
*Jan 27 10:51:44.763: %SSH-5-ENABLED: SSH 1.99 has been enabled
*Jan 27 10:51:44.919: %CRYPTO-6-ISAKMP_ON_OFF: ISAKMP is OFF
*Jan 27 10:51:44.919: %CRYPTO-6-GDOI_ON_OFF: GDOI is OFF
*Jan 27 10:51:44.919: %CRYPTO-6-GDOI_ON_OFF: GDOI is ON
*Jan 27 10:51:45.999: %SYS-6-BOOTTIME: Time taken to reboot after reload =  130 seconds

this is the crypto configuration

crypto isakmp policy 10
encr 3des
group 2
!
!
crypto gdoi group GETVPN
identity number 10
server address ipv4 a.b.c.d
server address ipv4 x.y.z.x
!
!
crypto map GETVPN-MAP local-address FastEthernet0/1
crypto map GETVPN-MAP 10 gdoi
set group GETVPN

thanks in advance.

Damián

  • VPN
Everyone's tags (3)
1 ACCEPTED SOLUTION

Accepted Solutions
Cisco Employee

Re: ISAKMP doesn't start after reload

Hi,

There is a know issue with GETVPN that's fixed in 12.4(15)T10:

http://tools.cisco.com/Support/BugToolKit/search/getBugDetails.do?method=fetchBugDetails&bugId=CSCsv29424

This causes the router to not register with the KS after a reload. However, it's specific to a GETVPN configuration, which 12.4 mainline code does not support. I would suggest you open a TAC case to have it investigated.

Thanks,

Wen

4 REPLIES
New Member

Re: ISAKMP doesn't start after reload

It's a bug!! Confirmed by Cisco TAC. Cisco IOS Software version 12.4(15)T fc10 fixed this bug.

thanks to all.

New Member

Re: ISAKMP doesn't start after reload

hmm I am seeing the same behavior under Cisco IOS Software, 1841 Software (C1841-ADVIPSERVICESK9-M), Version 12.4(18), R

Would you share your TAC case # so I can take it with them again and see if possibly 4(18) is having the same issue you did before?

Cisco Employee

Re: ISAKMP doesn't start after reload

Hi,

There is a know issue with GETVPN that's fixed in 12.4(15)T10:

http://tools.cisco.com/Support/BugToolKit/search/getBugDetails.do?method=fetchBugDetails&bugId=CSCsv29424

This causes the router to not register with the KS after a reload. However, it's specific to a GETVPN configuration, which 12.4 mainline code does not support. I would suggest you open a TAC case to have it investigated.

Thanks,

Wen

New Member

Re: ISAKMP doesn't start after reload

Hi,

today I found this bug (CSCsv29424) under c890-universalk9-mz.151-4.M4 on a 892 router. The workaround mentionend at the BugToolkit worked. Any experience with it?

Kind regards,

Daniel

9379
Views
0
Helpful
4
Replies