Solved: ASA failover: unable to decrypt messages

atudos · ‎07-21-2011

Hi,

We see the following "debug fover rx" messages on two ASA5520 firewall nodes which are configured for failover:

fover_ip: HA TRANS: unable to decrypt message

fover_ip: Incompatible cipher algorithm detected

Both units return these messages, but there seems to be no way to configure any encryption related parameters.

They are exactly the same units running the same software.

We couldn't find any explanation about these error messages anywhere, what could be the problem?

BR,

Andras

varrao · ‎07-21-2011

The decrypt messages are related to 3DES license mismatch, I am sure upgrading the license would resolve it, the failover would always have such issue in failover if we have a mismatch.

Thanks,

Varun

Please mark the thread as answered if your queries are resolved.

Thanks,
Varun Rao

View solution in original post

Anu M Chacko · ‎07-21-2011

Hi Andras,

Do the devices have 3DES license? Please post the output of "sh ver" here.

Regards,

Anu

varrao · ‎07-21-2011

Hi Andras,

Have you recently upgarded any license features on the firewall related to 3DES/AES?? Could you provide an output of "show version" and "show run failover" from both the units.

Thanks,

Varun

Thanks,
Varun Rao

varrao · ‎07-21-2011

Please be aware both the devices need to have exactly the same license features as well and everytime you install a new license on the device , you need to do "write memory" and reload the box to let the licenses take effect.

Hope this helps,

Thanks,

Varun

Thanks,
Varun Rao

atudos · ‎07-21-2011

There were no license or sw changes and I was told that this was working so far.

asa1# sh ver

Cisco Adaptive Security Appliance Software Version 8.0(4)
Device Manager Version 6.1(5)51

Compiled on Thu 07-Aug-08 20:53 by builders
System image file is "disk0:/asa804-k8.bin"
Config file at boot was "startup-config"

asa1 up 22 hours 2 mins
failover cluster up 22 hours 2 mins

Hardware: ASA5520, 512 MB RAM, CPU Pentium 4 Celeron 2000 MHz
Internal ATA Compact Flash, 256MB
BIOS Flash M50FW080 @ 0xffe00000, 1024KB

Encryption hardware device : Cisco ASA-55x0 on-board accelerator (revision 0x0)
                             Boot microcode   : CN1000-MC-BOOT-2.00
                             SSL/IKE microcode: CNLite-MC-SSLm-PLUS-2.03
                             IPSec microcode : CNlite-MC-IPSECm-MAIN-2.05
0: Ext: GigabitEthernet0/0 : address is 001d.7066.9002, irq 9
1: Ext: GigabitEthernet0/1 : address is 001d.7066.9003, irq 9
2: Ext: GigabitEthernet0/2 : address is 001d.7066.9004, irq 9
3: Ext: GigabitEthernet0/3 : address is 001d.7066.9005, irq 9
4: Ext: Management0/0       : address is 001d.7066.9001, irq 11
5: Int: Not used            : irq 11
6: Int: Not used            : irq 5

Licensed features for this platform:
Maximum Physical Interfaces : Unlimited
Maximum VLANs                : 150
Inside Hosts                 : Unlimited
Failover                     : Active/Active
VPN-DES                      : Enabled
VPN-3DES-AES                 : Enabled
Security Contexts            : 2
GTP/GPRS                     : Disabled
VPN Peers                    : 750
WebVPN Peers                 : 2
AnyConnect for Mobile        : Disabled
AnyConnect for Linksys phone : Disabled
Advanced Endpoint Assessment : Disabled
UC Proxy Sessions            : 2

This platform has an ASA 5520 VPN Plus license.

Serial Number: JMX1232L1MB
Running Activation Key: 0xb9214e55 0x44ada2e4 0xe4d15dd4 0xb17c6420 0xca07ad8a
Configuration register is 0x1
Configuration last modified by atudos at 11:27:15.658 CEDT Thu Jul 21 2011
asa1#

asa1# sh run failover

failover

failover lan unit primary

failover lan interface failover GigabitEthernet0/3

failover key *****

failover replication http

failover link failover GigabitEthernet0/3

failover interface ip failover 10.1.150.1 255.255.255.0 standby 10.1.150.2

asa1#

asa2-bud1# sh ver

Cisco Adaptive Security Appliance Software Version 8.0(4)
Device Manager Version 6.1(5)51

Compiled on Thu 07-Aug-08 20:53 by builders
System image file is "disk0:/asa804-k8.bin"
Config file at boot was "startup-config"

asa2-bud1 up 1 hour 16 mins
failover cluster up 1 hour 16 mins

Hardware: ASA5520, 512 MB RAM, CPU Pentium 4 Celeron 2000 MHz
Internal ATA Compact Flash, 256MB
BIOS Flash M50FW080 @ 0xffe00000, 1024KB

Encryption hardware device : Cisco ASA-55x0 on-board accelerator (revision 0x0)
                             Boot microcode   : CN1000-MC-BOOT-2.00
                             SSL/IKE microcode: CNLite-MC-SSLm-PLUS-2.03
                             IPSec microcode : CNlite-MC-IPSECm-MAIN-2.05
0: Ext: GigabitEthernet0/0 : address is 001d.a29a.538c, irq 9
1: Ext: GigabitEthernet0/1 : address is 001d.a29a.538d, irq 9
2: Ext: GigabitEthernet0/2 : address is 001d.a29a.538e, irq 9
3: Ext: GigabitEthernet0/3 : address is 001d.a29a.538f, irq 9
4: Ext: Management0/0       : address is 001d.a29a.538b, irq 11
5: Int: Not used            : irq 11
6: Int: Not used            : irq 5

Licensed features for this platform:
Maximum Physical Interfaces : Unlimited
Maximum VLANs                : 150
Inside Hosts                 : Unlimited
Failover                     : Active/Active
VPN-DES                      : Enabled
VPN-3DES-AES                 : Disabled
Security Contexts            : 2
GTP/GPRS                     : Disabled
VPN Peers                    : 750
WebVPN Peers                 : 2
AnyConnect for Mobile        : Disabled
AnyConnect for Linksys phone : Disabled
Advanced Endpoint Assessment : Disabled
UC Proxy Sessions            : 2

This platform has an ASA 5520 VPN Plus license.

Serial Number: JMX1148L1L1
Running Activation Key: 0x471f534d 0x505b0a4b 0xa070013c 0xa188706c 0x8b3d3a8d
Configuration register is 0x2001
Configuration last modified by enable_15 at 12:11:51.279 CEDT Thu Jul 21 2011
asa2-bud1#

asa2-bud1# sh run failover

failover

failover lan unit secondary

failover lan interface failover GigabitEthernet0/3

failover key *****

failover replication http

failover interface ip failover 10.1.150.1 255.255.255.0 standby 10.1.150.2

asa2-bud1#

varrao · ‎07-21-2011

It is clearly an issue of VPN/3DES license, you need to get the license for the second device as well.

-Varun

Thanks,
Varun Rao

varrao · ‎07-21-2011

This is wat the license say:

1st Device:

VPN-DES : Enabled

VPN-3DES-AES : Enabled

2nd device:

VPN-DES : Enabled

VPN-3DES-AES : Disabled

You need to procure the VPN/3DES license for the second device as well.

Hope this resolves your query.

-Varun

Thanks,
Varun Rao

atudos · ‎07-21-2011

Thank you, I will have to research what happened with the licence. It is strange that it shows that it has VPN Plus but 3DES/AES is disabled. Can it be demaged somehow? Because we never installed a license, the units were coming with the licences originally and as far as I know failover was already working correctly.

Andras

varrao · ‎07-21-2011

The decrypt messages are related to 3DES license mismatch, I am sure upgrading the license would resolve it, the failover would always have such issue in failover if we have a mismatch.

Thanks,

Varun

Please mark the thread as answered if your queries are resolved.

Thanks,
Varun Rao

atudos · ‎07-21-2011

I have doublechecked and both units were purchased with 3DES/AES licence:

ASA5520-BUN-K9	ASA 5520 Appliance with SW, HA, 4GE+1FE, 3DES/AES	JMX1148L1L1
ASA5520-BUN-K9	ASA 5520 Appliance with SW, HA, 4GE+1FE, 3DES/AES	JMX1232L1MB

Is there a quick way to fix this or we have to go back to our supplier? Actually Cisco knows which serial number has which licence...

Andras

atudos · ‎07-21-2011

I've registered at https://tools.cisco.com/SWIFT/Licensing/PrivateRegistrationServlet?FormId=139 for the 3DES/AES licence, I was told it will be delivered in email within 1 hour, I still hope it will arrive with some delay.

Thx for your support!

Andras

atudos · ‎07-21-2011

License has arrived, has been installed and after a reload failover is working again! Thx once more!

Andras

varrao · ‎07-21-2011

Lol , you should get it in time.

Thanks,

Varun

Thanks,
Varun Rao

varrao · ‎07-21-2011

No problem, all the best, glad the license arrived in time.

-Varun

Thanks,
Varun Rao