Cisco Support Community
cancel
Showing results for 
Search instead for 
Did you mean: 
Announcements

Welcome to Cisco Support Community. We would love to have your feedback.

For an introduction to the new site, click here. And see here for current known issues.

New Member

ASR1004 RP1 with ESP10 and RTU License Can't Keep UP

Using ASR1004 for DMVPN hubs, the crypto engine can't keep up with a single spoke router authentication (ISAKMP phase 1).

 

Hardware

PID: ASR1004 
PID: ASR1000-SIP10 
PID: SPA-10X1GE-V2
PID: ASR1000-RP1 
PID: ASR1000-ESP10
DRAM: 4Gb

Image: asr1000rp1-adventerprisek9.03.07.04.S.152-4.S4.bin

IOS XE Version: 03.07.04.S

 

Debug ISAKMP and crypto engine output.

Timestamp: ISAKMP (0): received packet from X.Y.41.23 dport 500 sport 500 SECURE (N) NEW SA
Timestamp: ISAKMP: Created a peer struct for X.Y.41.23, peer port 500
Timestamp: ISAKMP: New peer created peer = 0x3D1464B0 peer_handle = 0x80000004
Timestamp: ISAKMP: Locking peer struct 0x3D1464B0, refcount 1 for crypto_isakmp_process_block
Timestamp: ISAKMP: local port 500, remote port 500
Timestamp: ISAKMP:(0):insert sa successfully sa = 41C29D18
Timestamp: ISAKMP:(0):Input = IKE_MESG_FROM_PEER, IKE_MM_EXCH
Timestamp: ISAKMP:(0):Old State = IKE_READY  New State = IKE_R_MM1
Timestamp: ISAKMP:(0): processing SA payload. message ID = 0
Timestamp: ISAKMP : Scanning profiles for xauth ... SECURE_ISAKMP_BBP2 ISAKMP-TEST
Timestamp: ISAKMP:(0): IKE->PKI Get configured TrustPoints state (R) MM_NO_STATE (peer X.Y.41.23)
Timestamp: ISAKMP:(0): PKI->IKE Got configured TrustPoints state (R) MM_NO_STATE (peer X.Y.41.23)
Timestamp: ISAKMP:(0):Checking ISAKMP transform 1 against priority 10 policy
Timestamp: ISAKMP:      encryption AES-CBC
Timestamp: ISAKMP:      keylength of 256
Timestamp: ISAKMP:      hash SHA256
Timestamp: ISAKMP:      default group 5
Timestamp: ISAKMP:      auth RSA sig
Timestamp: ISAKMP:      life type in seconds
Timestamp: ISAKMP:      life duration (VPI) of  0x0 0x1 0x51 0x80
Timestamp: ISAKMP:(0):atts are acceptable. Next payload is 0
Timestamp: ISAKMP:(0):Acceptable atts:actual life: 0
Timestamp: ISAKMP:(0):Acceptable atts:life: 0
Timestamp: ISAKMP:(0):Fill atts in sa vpi_length:4
Timestamp: ISAKMP:(0):Fill atts in sa life_in_seconds:86400
Timestamp: ISAKMP:(0): IKE->PKI Start PKI Session state (R) MM_NO_STATE (peer X.Y.41.23)
Timestamp: ISAKMP:(0): PKI->IKE Started PKI Session state (R) MM_NO_STATE (peer X.Y.41.23)
Timestamp: ISAKMP:(0):Returning Actual lifetime: 86400
Timestamp: ISAKMP:(0)::Started lifetime timer: 86400.
Timestamp: crypto_engine_select_crypto_engine: can't handle any more
Timestamp: crypto_engine_select_crypto_engine: can't handle any more
Timestamp: ISAKMP : Unable to allocate IKE SA
Timestamp: ISAKMP:(0):Input = IKE_MESG_INTERNAL, IKE_PROCESS_MAIN_MODE
Timestamp: ISAKMP:(0):Old State = IKE_R_MM1  New State = IKE_R_MM1
Timestamp: ISAKMP (0): incrementing error counter on sa, attempt 1 of 5: reset_retransmission
Timestamp: ISAKMP:(0):Input = IKE_MESG_INTERNAL, IKE_PROCESS_ERROR
Timestamp: ISAKMP:(0):Old State = IKE_R_MM1  New State = IKE_READY

Crypto Engine

        crypto engine name:  Cisco VPN Software Implementation
        crypto engine type:  software
             serial number:  00000000
       crypto engine state:  installed
     crypto engine in slot:  N/A
                  platform:  Cisco Software Crypto Engine
        crypto lib version:  22.0.0

 

Crypto ELI

Hardware Encryption : ACTIVE
 Number of hardware crypto engines = 1

 CryptoEngine IOSXE-ESP(14) details: state = Active
 Capability    : DES, 3DES, AES, RSA, IPv6, GDOI, FAILCLOSE

 IKE-Session   :     0 active, 12287 max, 0 failed
 DH            :     0 active, 12287 max, 0 failed
 IPSec-Session :     0 active, 32766 max, 0 failed

 

Why is the router crypto engine reporting that it can't handle any more and fails to allocate an IKE SA?  I would like to know of any useful commands that might shed light on this.

 

I should also add that the 'license' keyword is unavailable.

 

ASR-1004#sh license ?
% Unrecognized command

ASR-1004(config)#license ?
% Unrecognized command

 

Thanks

John

1 REPLY
New Member

I sorted it out by playing

I sorted it out by playing with the ISAKMP profile match statements eventually finding a certificate attribute that it liked.

Since there is no bug report to describe this scenario, the actual issue is still up in the air.  Perhaps the debug needs refining to better explain any match issues.

 

Follow up:

Phase 2 failed initially, but this was due to a know bud whereby IPSec transform sets can not operate in mixed mode (AH and ESP).

 

Please see for more details.

https://supportforums.cisco.com/discussion/11684461/ike-phase-2-sa-expires-immediately-site-2-site-ipsec-over-gre

248
Views
0
Helpful
1
Replies