Cisco Support Community
cancel
Showing results for 
Search instead for 
Did you mean: 
Announcements

Welcome to Cisco Support Community. We would love to have your feedback.

For an introduction to the new site, click here. And see here for current known issues.

New Member

VPN l2l - Internal error

We are getting strange errors with some tunnels:

Apr 02 2012

17:32:41

713232





Group = DefaultL2LGroup, IP = XXXXX, SA lock   refCnt = 0, bitmask = 00000000, p1_decrypt_cb = 0, qm_decrypt_cb = 1,   qm_hash_cb = 0, qm_spi_ok_cb = 0, qm_dh_cb = 0, qm_secret_key_cb = 0,   qm_encrypt_cb = 0

Apr 02 2012

17:54:38

713231





Group =   DefaultL2LGroup, IP = XXXXX, Internal Error, ike_lock trying to   unlock bit that is not locked for type SA_LOCK_P1_SA_CREATE

Some ip's are getting stuck and increase the established tunnels on ASA, We can see 2500 host connected but ASA showing up like 3000.

crypto ipsec transform-set ATM esp-3des esp-sha-hmac

crypto ipsec security-association lifetime seconds 28800

crypto ipsec security-association lifetime kilobytes 4608000

crypto dynamic-map XXXX 1 match address XXXXX

crypto dynamic-map XPTO 1 set pfs

crypto dynamic-map XPTO 1 set transform-set ATM

crypto dynamic-map XPTO 1 set reverse-route

crypto dynamic-map XPTO 1 match address XPTO_ATM_200

crypto dynamic-map XPTO_AS 1 set pfs

crypto dynamic-map XPTO_AS 1 set transform-set XPTP

crypto dynamic-map XPTO_AS 1 set reverse-route

crypto map XPTOP 120 ipsec-isakmp dynamic XPTO_ATM_MAP

crypto map XPTO_AT interface outside

crypto map XPTO_AS 600 ipsec-isakmp dynamic XPTO_ATM_MAP_AS

crypto map XPTO_AS interface outside-as

crypto isakmp enable outside

crypto isakmp enable outside-as

crypto isakmp policy 10

Just want to fix that issue.

2 REPLIES
New Member

VPN l2l - Internal error

Hi Leonardo,

I am seeing a similar error, can you tell me if your ASA was locking up at all? Console access working but all ports lockedup, needed a reboot to return?

Rgds,

Karl.

New Member

VPN l2l - Internal error

Hello Karl,

We already solved this issue applying the following commands:

sysopt connection preserve vpn flows

crypto isakmp nat-traversal 20

Try it and let us know

1023
Views
0
Helpful
2
Replies
CreatePlease login to create content