Re: Cisco ASR 1002-f vpn configuration

robertrutledge2005 · ‎09-11-2022

Hell-o. I am trying to configure an ASR 1002-f with IOS-XE Version 15.4(3)S6a for two point to point VPNs. I am currently running a Cisco 891W but need the added WAN throughput of the ASR. This is my configuration on the 891 which works flawlessly for both vpns; one to a Cisco 1841 and another to a Cisco 1941:

crypto keyring internet-keyring
pre-shared-key address x.x.x.x key "shared-key"
pre-shared-key address x.x.x.x key "shared-key"
crypto isakmp policy 10
encr aes 256
authentication pre-share
group 2
lifetime 28800
crypto isakmp policy 15
encr 3des
authentication pre-share
group 2
ifetime 28800
crypto isakmp policy 201
encr aes 256
authentication pre-share
group 2
lifetime 28800
crypto isakmp keepalive 10 periodic
crypto isakmp profile blahblahblah
description Tunnel to blahs House
keyring internet-keyring
match identity address x.x.x.x 255.255.255.255
crypto isakmp profile blahblahblah2
description Tunnel to blahblahs House
keyring internet-keyring
match identity address x.x.x.x 255.255.255.255
crypto ipsec security-association replay window-size 1024
crypto ipsec transform-set AES_256 esp-aes 256 esp-sha-hmac
mode tunnel
crypto map vpn_outside 10 ipsec-isakmp
description Tunnel to blahs House x.x.x.x
set peer x.x.x.x
set transform-set AES_256
set isakmp-profile blahblahblah
match address booboo
qos pre-classify
crypto map vpn_outside 20 ipsec-isakmp
description Tunnel to blahblahs house x.x.x.x
set peer x.x.x.x
set transform-set AES_256
set isakmp-profile blahblahblah2
match address booboo2
qos pre-classify

The ASR takes all these commands and allows me to configure the access lists for the interesting traffic. When I attempt to apply the "crypto map vpn_outside" command to the outside interface the router reloads with the following outputs:

Exception to IOS Thread:
Frame pointer 0x43339748, PC = 0x6C868FC

UNIX-EXT-SIGNAL: Aborted(6), Process = Exec
-Traceback= 1#12bd3efe5c66841e82889cbeaefcc606 c:6C50000+368FC c:6C50000+383DC c:6C50000+383DC c:6C50000+38520 :10000000+3CC43B4 :10000000+62F44EC :10000000+77C3ADC :10000000+FBBF8C :10000000+FC2CD8 :10000000+489D594 :10000000+FD42E4

Fastpath Thread backtrace:
-Traceback= 1#12bd3efe5c66841e82889cbeaefcc606 c:6C50000+DA038 c:6C50000+DA018 iosd_unix:6DFE000+1767C prelib:FFD6000+31BC pthread:6433000+5A4C

Auxiliary Thread backtrace:
-Traceback= 1#12bd3efe5c66841e82889cbeaefcc606 pthread:6433000+B598 pthread:6433000+B578 c:6C50000+EFB34 iosd_unix:6DFE000+24A10 prelib:FFD6000+31BC pthread:6433000+5A4C

PC = 0x06C868FC LR = 0x06C883DC MSR = 0x0002D000
CTR = 0x06441D60 XER = 0x20000000
R0 = 0x000000FA R1 = 0x43339748 R2 = 0x30099F60 R3 = 0x00000000
R4 = 0x00000372 R5 = 0x00000006 R6 = 0x00000000 R7 = 0x06C86BAC
R8 = 0x0002D000 R9 = 0x30092AE0 R10 = 0x30092AE0 R11 = 0x43339730
R12 = 0x06C883DC R13 = 0x1AAD7768 R14 = 0x00000000 R15 = 0x00000000
R16 = 0x00000000 R17 = 0x1A930000 R18 = 0x00000000 R19 = 0x1AAD0000
R20 = 0x1AAD0000 R21 = 0x1AAD0000 R22 = 0x00000001 R23 = 0x00000000
R24 = 0x00000000 R25 = 0x433398FC R26 = 0x3923F46C R27 = 0x1AA71ABC
R28 = 0x06DC0BF0 R29 = 0x00000006 R30 = 0x06DC07AC R31 = 0x43339748

Writing crashinfo to bootflash:crashinfo_RP_00_00_20220910-221456-CDT

When the router comes back up of course the crypto map command is missing from the outside WAN interface.

Does anyone know why the router would behave in this manner when the crypto map command is applied?

Also I apologize if this is a duplicate post. I submitted one earlier on the same subject, but when I check my user stats it shows I have 0 posts so I assumed I did something wrong.

MHM Cisco World · ‎09-11-2022

I check the config I dont see any issue with it except the key is config under one keyring.
make it two and add each one under ISAKMP profile.

robertrutledge2005 · ‎09-11-2022

Thanks for the quick response. I tried as was suggested.

crypto keyring internet-keyring
pre-shared-key address x.x.x.x key blahblah

crypto keyring internet-keyring-2
pre-shared-key address x.x.x.x key blahblah2

and applied the proper keyring to each isakmp profile. Unfortunately the same thing happened:

(config-if)#crypto map vpn_outside

%Software-forced reload

Exception to IOS Thread:
Frame pointer 0x4333E748, PC = 0x6C868FC

UNIX-EXT-SIGNAL: Aborted(6), Process = Exec
-Traceback= 1#12bd3efe5c66841e82889cbeaefcc606 c:6C50000+368FC c:6C50000+383DC c:6C50000+383DC c:6C50000+38520 :10000000+3CC43B4 :10000000+62F44EC :10000000+77C3ADC :10000000+FBBF8C :10000000+FC2CD8 :10000000+489D594 :10000000+FD42E4

Fastpath Thread backtrace:
-Traceback= 1#12bd3efe5c66841e82889cbeaefcc606 c:6C50000+DA038 c:6C50000+DA018 iosd_unix:6DFE000+1767C prelib:FFD6000+31BC pthread:6433000+5A4C

Auxiliary Thread backtrace:
-Traceback= 1#12bd3efe5c66841e82889cbeaefcc606 pthread:6433000+B598 pthread:6433000+B578 c:6C50000+EFB34 iosd_unix:6DFE000+24A10 prelib:FFD6000+31BC pthread:6433000+5A4C

PC = 0x06C868FC LR = 0x06C883DC MSR = 0x0002D000
CTR = 0x06441D60 XER = 0x20000000
R0 = 0x000000FA R1 = 0x4333E748 R2 = 0x30099F60 R3 = 0x00000000
R4 = 0x00000371 R5 = 0x00000006 R6 = 0x00000000 R7 = 0x06C86BAC
R8 = 0x0002D000 R9 = 0x30092AE0 R10 = 0x30092AE0 R11 = 0x4333E730
R12 = 0x06C883DC R13 = 0x1AAD7768 R14 = 0x00000000 R15 = 0x00000000
R16 = 0x00000000 R17 = 0x1A930000 R18 = 0x00000000 R19 = 0x1AAD0000
R20 = 0x1AAD0000 R21 = 0x1AAD0000 R22 = 0x00000001 R23 = 0x00000000
R24 = 0x00000000 R25 = 0x4333E8FC R26 = 0x3923F46C R27 = 0x1AA71ABC
R28 = 0x06DC0BF0 R29 = 0x00000006 R30 = 0x06DC07AC R31 = 0x4333E748

Writing crashinfo to bootflash:crashinfo_RP_00_00_20220911-172858-CDT

I used to work, retired in 2016, in a data center for a large railroad configuring vpns to customers with a Cisco front end. We always bundled all the pre-shared keys into the same internet keyring and they worked fine so I am assuming something else is going on here.

The router should have the features/licenses required as it is (PPC_LINUX_IOSD-ADVENTERPRISEK9-M) version which means to me advanced enterprise license which should have everything.

Any other suggestions would be greatly appreciated.

marce1000 · ‎09-11-2022

- Ref : https://www.cisco.com/c/en/us/products/collateral/routers/asr-1000-series-aggregation-services-routers/end_of_life_c51-678412.html, the device is very old, normally I would advise to upgrade to latest (gold starred) software version , but downloads will probably no longer be available for the particular model. Use a modern router for the vpn requirements you have.

M.

-- Each morning when I wake up and look into the mirror I always say ' Why am I so brilliant ? '
When the mirror will then always repond to me with ' The only thing that exceeds your brilliance is your beauty! '

Georg Pauwen · ‎09-12-2022

Hello,

I have seen that a couple of times now that crypto maps in VPNs do not work well on ASR routers, that could be the case here as well. Crypto maps are considered legacy, try VTIs. If you post the full running configs of both routers, I can fill in the bits and pieces...

robertrutledge2005 · ‎09-12-2022

in reply to marce1000...I have been using these pre-owned Cisco routers that are older, but have had good luck with them. Unfortunately even a 1941 only has a WAN throughput of 150 Mbps. I was looking for something with at least 1 GB throughput which is why I ended up with the ASR.

Georg Pauween...I will attach the "edited" config for the ASR here. Hopefully that would give you enough info. I am willing to try VTI if it will work, but this seems bizarre the way the ASR is responding by simply attaching the crypto map command to the outside interface. I've worked with several routers that worked great with my vpn configs. I wonder if I am adding these configs in the wrong "order" or something. Thanks.

Richard Burts · ‎09-13-2022

I do not think that your issue has anything to do with order. Any time that you see "traceback" in log messages you are looking at a software issue. I believe that you are hitting some bug when you attempt to configure the crypto map on the interface. Perhaps a different version of code might get around the issue?

I do like the suggestion of changing to VTI. It encrypts traffic to and from the vpn peer, and does not use crypto maps, so may very well get around the problem you are experiencing.

HTH

Rick

Georg Pauwen · ‎09-16-2022

Hello,

sorry for my late reply. I looked at the configs and noticed you are using a ZBF. At first glance, I do not see any outside to self class to match and inspect ISAKMP traffic. Did the old 891 routers have the ZBF configured as well ?

robertrutledge2005 · ‎09-16-2022

Thanks again for the reply Georg Pauwen. The 891 routers I used were set up with the older ip inspect firewall applied on the outbound interface as such: ip inspect DEFAULT100 out. I just used the inbound acl on the outbound interface to allow any ip traffic, permit ip host x.x.x.x any, from the inbound vpn connections of the far end routers. I am new to the ZBF type of firewall. What protocol do I specify, or is there one specifically for ISAKMP and/or IPSEC traffic, that I need to set up with ZBF for the vpn traffic to work? ...and do you have any other suggestions for setting up the ZBF? If the ZBF were configured incorrectly would that be what would cause the router to "blow up" and reload?