07-21-2011 04:01 AM - edited 03-11-2019 02:01 PM
Hi,
We see the following "debug fover rx" messages on two ASA5520 firewall nodes which are configured for failover:
fover_ip: HA TRANS: unable to decrypt message
fover_ip: Incompatible cipher algorithm detected
Both units return these messages, but there seems to be no way to configure any encryption related parameters.
They are exactly the same units running the same software.
We couldn't find any explanation about these error messages anywhere, what could be the problem?
BR,
Andras
Solved! Go to Solution.
07-21-2011 04:30 AM
The decrypt messages are related to 3DES license mismatch, I am sure upgrading the license would resolve it, the failover would always have such issue in failover if we have a mismatch.
Thanks,
Varun
Please mark the thread as answered if your queries are resolved.
07-21-2011 04:06 AM
Hi Andras,
Do the devices have 3DES license? Please post the output of "sh ver" here.
Regards,
Anu
07-21-2011 04:07 AM
Hi Andras,
Have you recently upgarded any license features on the firewall related to 3DES/AES?? Could you provide an output of "show version" and "show run failover" from both the units.
Thanks,
Varun
07-21-2011 04:09 AM
Please be aware both the devices need to have exactly the same license features as well and everytime you install a new license on the device , you need to do "write memory" and reload the box to let the licenses take effect.
Hope this helps,
Thanks,
Varun
07-21-2011 04:17 AM
There were no license or sw changes and I was told that this was working so far.
asa1# sh ver
Cisco Adaptive Security Appliance Software Version 8.0(4)
Device Manager Version 6.1(5)51
Compiled on Thu 07-Aug-08 20:53 by builders
System image file is "disk0:/asa804-k8.bin"
Config file at boot was "startup-config"
asa1 up 22 hours 2 mins
failover cluster up 22 hours 2 mins
Hardware: ASA5520, 512 MB RAM, CPU Pentium 4 Celeron 2000 MHz
Internal ATA Compact Flash, 256MB
BIOS Flash M50FW080 @ 0xffe00000, 1024KB
Encryption hardware device : Cisco ASA-55x0 on-board accelerator (revision 0x0)
Boot microcode : CN1000-MC-BOOT-2.00
SSL/IKE microcode: CNLite-MC-SSLm-PLUS-2.03
IPSec microcode : CNlite-MC-IPSECm-MAIN-2.05
0: Ext: GigabitEthernet0/0 : address is 001d.7066.9002, irq 9
1: Ext: GigabitEthernet0/1 : address is 001d.7066.9003, irq 9
2: Ext: GigabitEthernet0/2 : address is 001d.7066.9004, irq 9
3: Ext: GigabitEthernet0/3 : address is 001d.7066.9005, irq 9
4: Ext: Management0/0 : address is 001d.7066.9001, irq 11
5: Int: Not used : irq 11
6: Int: Not used : irq 5
Licensed features for this platform:
Maximum Physical Interfaces : Unlimited
Maximum VLANs : 150
Inside Hosts : Unlimited
Failover : Active/Active
VPN-DES : Enabled
VPN-3DES-AES : Enabled
Security Contexts : 2
GTP/GPRS : Disabled
VPN Peers : 750
WebVPN Peers : 2
AnyConnect for Mobile : Disabled
AnyConnect for Linksys phone : Disabled
Advanced Endpoint Assessment : Disabled
UC Proxy Sessions : 2
This platform has an ASA 5520 VPN Plus license.
Serial Number: JMX1232L1MB
Running Activation Key: 0xb9214e55 0x44ada2e4 0xe4d15dd4 0xb17c6420 0xca07ad8a
Configuration register is 0x1
Configuration last modified by atudos at 11:27:15.658 CEDT Thu Jul 21 2011
asa1#
asa1# sh run failover
failover
failover lan unit primary
failover lan interface failover GigabitEthernet0/3
failover key *****
failover replication http
failover link failover GigabitEthernet0/3
failover interface ip failover 10.1.150.1 255.255.255.0 standby 10.1.150.2
asa1#
asa2-bud1# sh ver
Cisco Adaptive Security Appliance Software Version 8.0(4)
Device Manager Version 6.1(5)51
Compiled on Thu 07-Aug-08 20:53 by builders
System image file is "disk0:/asa804-k8.bin"
Config file at boot was "startup-config"
asa2-bud1 up 1 hour 16 mins
failover cluster up 1 hour 16 mins
Hardware: ASA5520, 512 MB RAM, CPU Pentium 4 Celeron 2000 MHz
Internal ATA Compact Flash, 256MB
BIOS Flash M50FW080 @ 0xffe00000, 1024KB
Encryption hardware device : Cisco ASA-55x0 on-board accelerator (revision 0x0)
Boot microcode : CN1000-MC-BOOT-2.00
SSL/IKE microcode: CNLite-MC-SSLm-PLUS-2.03
IPSec microcode : CNlite-MC-IPSECm-MAIN-2.05
0: Ext: GigabitEthernet0/0 : address is 001d.a29a.538c, irq 9
1: Ext: GigabitEthernet0/1 : address is 001d.a29a.538d, irq 9
2: Ext: GigabitEthernet0/2 : address is 001d.a29a.538e, irq 9
3: Ext: GigabitEthernet0/3 : address is 001d.a29a.538f, irq 9
4: Ext: Management0/0 : address is 001d.a29a.538b, irq 11
5: Int: Not used : irq 11
6: Int: Not used : irq 5
Licensed features for this platform:
Maximum Physical Interfaces : Unlimited
Maximum VLANs : 150
Inside Hosts : Unlimited
Failover : Active/Active
VPN-DES : Enabled
VPN-3DES-AES : Disabled
Security Contexts : 2
GTP/GPRS : Disabled
VPN Peers : 750
WebVPN Peers : 2
AnyConnect for Mobile : Disabled
AnyConnect for Linksys phone : Disabled
Advanced Endpoint Assessment : Disabled
UC Proxy Sessions : 2
This platform has an ASA 5520 VPN Plus license.
Serial Number: JMX1148L1L1
Running Activation Key: 0x471f534d 0x505b0a4b 0xa070013c 0xa188706c 0x8b3d3a8d
Configuration register is 0x2001
Configuration last modified by enable_15 at 12:11:51.279 CEDT Thu Jul 21 2011
asa2-bud1#
asa2-bud1# sh run failover
failover
failover lan unit secondary
failover lan interface failover GigabitEthernet0/3
failover key *****
failover replication http
failover interface ip failover 10.1.150.1 255.255.255.0 standby 10.1.150.2
asa2-bud1#
07-21-2011 04:19 AM
It is clearly an issue of VPN/3DES license, you need to get the license for the second device as well.
-Varun
07-21-2011 04:21 AM
This is wat the license say:
1st Device:
VPN-DES : Enabled
VPN-3DES-AES : Enabled
2nd device:
VPN-DES : Enabled
VPN-3DES-AES : Disabled
You need to procure the VPN/3DES license for the second device as well.
Hope this resolves your query.
-Varun
07-21-2011 04:24 AM
Thank you, I will have to research what happened with the licence. It is strange that it shows that it has VPN Plus but 3DES/AES is disabled. Can it be demaged somehow? Because we never installed a license, the units were coming with the licences originally and as far as I know failover was already working correctly.
Andras
07-21-2011 04:30 AM
The decrypt messages are related to 3DES license mismatch, I am sure upgrading the license would resolve it, the failover would always have such issue in failover if we have a mismatch.
Thanks,
Varun
Please mark the thread as answered if your queries are resolved.
07-21-2011 04:37 AM
I have doublechecked and both units were purchased with 3DES/AES licence:
ASA5520-BUN-K9 | ASA 5520 Appliance with SW, HA, 4GE+1FE, 3DES/AES | JMX1148L1L1 |
ASA5520-BUN-K9 | ASA 5520 Appliance with SW, HA, 4GE+1FE, 3DES/AES | JMX1232L1MB |
Is there a quick way to fix this or we have to go back to our supplier? Actually Cisco knows which serial number has which licence...
Andras
07-21-2011 05:39 AM
I've registered at https://tools.cisco.com/SWIFT/Licensing/PrivateRegistrationServlet?FormId=139 for the 3DES/AES licence, I was told it will be delivered in email within 1 hour, I still hope it will arrive with some delay.
Thx for your support!
Andras
07-21-2011 06:08 AM
License has arrived, has been installed and after a reload failover is working again! Thx once more!
Andras
07-21-2011 05:59 AM
Lol , you should get it in time.
Thanks,
Varun
07-21-2011 06:19 AM
No problem, all the best, glad the license arrived in time.
-Varun
Discover and save your favorite ideas. Come back to expert answers, step-by-step guides, recent topics, and more.
New here? Get started with these tips. How to use Community New member guide