Cisco Support Community
Showing results for 
Search instead for 
Did you mean: 
Community Member

"Unknown" crypto errors

Hello CSC,

"First poster" around here, so be gentle. ;-)

I've been having some issues with my 2801 VPN router lately.

It appears to just not being able to create new (or re-new?) SAs for new or existing tunnels.

Looking at some debug output, gives me something that i have not seen before on this device (or any other):

Jul 12 10:24:33.573 METDST: crypto_engine_ipsec_key_create_by_keys: no available flows
Jul 12 10:24:33.573 METDST: ISAKMP:(0:1679:SW:1):error from epa_ikmp_gen_ipsec(1) (QM_IDLE      ) -Traceback= 0x615F7BA0 0x615E3974 0x61607AD8 0x6187E7D0 0x6160842C 0x615D38CC 0x615DE060 0x615D8DD4
Jul 12 10:24:33.577 METDST: ISAKMP:(0:1679:SW:1):gen IPsec SA in slot 17 failed!
Jul 12 10:24:33.577 METDST: ISAKMP:(0:1679:SW:1):Unable to generate IPsec key for -2103449435!

Of course there are lots of other messages, but these stand out as someone i have not seen before. Especially the "Traceback" part troubles me.

This router, running Cisco IOS Software, 2801 Software (C2801-ADVSECURITYK9-M), Version 12.4(10), RELEASE SOFTWARE (fc1), have around 90 configured tunnels, with around 40 or so "active" at anyone time.

Could i be hitting a hardware limit or similar?

I have not been able to google my way to anything, bot am hoping that some of you may be able to show me the path.

CPU usage averages around 15-20%.

Any input will be greatly appreciated.




CreatePlease to create content