Buy or Renew
Buy or Renew
cancel
Turn on suggestions
Auto-suggest helps you quickly narrow down your search results by suggesting possible matches as you type.
Showing results for 
Search instead for 
Did you mean: 
cancel
Start a conversation
899
Views
0
Helpful
5
Replies

ASR 9001 IPsec crypto profile Semantic Error

Go to solution
pj0503311
Level 1
Level 1

‎08-10-2016 02:32 PM - edited ‎03-05-2019 04:28 AM

Attempting to configure IPsec VTI with the following configuration:

+ crypto isakmp policy 10000
+ authentication pre-share
+ group 5
+ encryption 256-aes
!
+ crypto ipsec transform-set P2P-set
+ transform esp-256-aes esp-sha-hmac
!
+ crypto ipsec profile P2P-profile
+ set transform-set P2P-set

All changes are successful except 

"+ crypto ipsec profile P2P-profile
+ set transform-set P2P-set"

for which I get the following error:

% Failed to commit one or more configuration items during a pseudo-atomic operation. All changes made have been reverted.
!! SEMANTIC ERRORS: This configuration was rejected by
!! the system due to semantic errors. The individual
!! errors with each failed configuration command can be
!! found below.


crypto ipsec profile P2P-profile
!!% 'CfgMgr' detected the 'fatal' condition 'This configuration has not been verified and can not be accepted by the system.'
set transform-set P2P-set
!!% 'CfgMgr' detected the 'fatal' condition 'This configuration has not been verified and can not be accepted by the system.'
!
end

I have looked everywhere and have found nothing on what this error even means. The syntax of the command is exactly as it should be according to several guides, both Cisco and non-Cisco sourced, and yet this command will not stick. 

I'm trying to configure IPsec VTI so I can have multicast over IPsec and skip having to have GRE encapsulation. I also found another forum post where someone said that ASR 9000 did not support this but I can't find it again and that was at least 3 years ago and hopefully that isn't the case anymore.

Can anyone offer any guidance? 

Labels:
0 Helpful
1 Accepted Solution

Accepted Solutions

Go to solution
Peter Paluch
Cisco Employee
Cisco Employee
In response to pj0503311

‎08-11-2016 03:02 PM

Hi,

Hmmm... Well, I am running a virtual XR image called XRv - it's not a physical box, rather a Cisco-built virtual image for learning and for control-plane operations such as BGP route reflector. It is indeed possible that the command syntax differences can be accounted to the difference in the XR versions.

Unfortunately, I cannot comment on the VSM module for ASR9000, I do not have experiences regarding that.

My experience with XR is that a semantic error occurs when a command is fine but conflicts with something else that is configured, or lacks something that is not configured yet. It might well be possible that the command operates the VSM module, and if it isn't found, the command will semantically fail.

According to this End-of-Life document, however:

http://www.cisco.com/c/en/us/products/collateral/routers/asr-9000-series-aggregation-services-routers/eos-eol-notice-c51-737659.html

it does not make sense to purchase the VSM module for the IPsec operations because the IPsec support is going to be removed from the VSM altogether, and Cisco seems to recommend to move to a totally different router platform (ASR 1000) to act as an IPsec tunnel termination point.

It would seem that without this module, the box itself does not support IPsec, and Cisco is moving away from supporting IPsec on this platform for the future. My best guess...

Best regards,
Peter

View solution in original post

0 Helpful
5 Replies 5

Go to solution
Peter Paluch
Cisco Employee
Cisco Employee

‎08-11-2016 12:37 AM

Hi,

Testing on XRv 6.0.1, I had no troubles entering this configuration:

crypto isakmp policy 1
 hash sha
 group 2
 encryption aes 128
 authentication pre-share
!
crypto ipsec transform-set T esp-aes 128 esp-sha-hmac
!
crypto ipsec profile P
 set transform-set T
!

As for your configuration, it was not accepted in the format you have posted it - apart from the '+' sign, some commands used a different syntax to yours, but the XRv 6.0.1-compatible version of your config is this one:

RP/0/0/CPU0:ios(config)#show run
Thu Aug 11 07:36:00.390 UTC
Building configuration...
!! IOS XR Configuration 6.0.1
!! Last configuration change at Thu Aug 11 07:35:55 2016 by cisco
!
crypto isakmp policy 10000
 group 5
 encryption aes 256
 authentication pre-share
!
crypto ipsec transform-set P2P-set esp-aes 256 esp-sha-hmac
!
crypto ipsec profile P2P-profile
 set transform-set P2P-set
!
end

Would you mind testing this out?

Best regards,
Peter

0 Helpful

Go to solution
pj0503311
Level 1
Level 1
In response to Peter Paluch

‎08-11-2016 06:31 AM

Thanks Peter for your reply,

I tried both the config you said worked for you and the one you suggested I try; neither worked unfortunately...

I am running IOS XR 5.2.4, maybe that's the reason for the differences?

A couple things I noticed, when I attempted to enter

encryption aes 256

I noticed that "256" was not an option after entering "aes" but rather I had to type 256-aes.

Same goes for the config above that; "128" is not available after "aes" which I figured was probably cosmetic as basic aes is 128 bit.

After posting this I did read about a VMS module for the ASR 9000 and that it added IPsec functionality to the router. Do I maybe need one of these cards?

Peter, are you working on an ASR 9000 or something else?

Thank you

0 Helpful

Go to solution
Peter Paluch
Cisco Employee
Cisco Employee
In response to pj0503311

‎08-11-2016 03:02 PM

Hi,

Hmmm... Well, I am running a virtual XR image called XRv - it's not a physical box, rather a Cisco-built virtual image for learning and for control-plane operations such as BGP route reflector. It is indeed possible that the command syntax differences can be accounted to the difference in the XR versions.

Unfortunately, I cannot comment on the VSM module for ASR9000, I do not have experiences regarding that.

My experience with XR is that a semantic error occurs when a command is fine but conflicts with something else that is configured, or lacks something that is not configured yet. It might well be possible that the command operates the VSM module, and if it isn't found, the command will semantically fail.

According to this End-of-Life document, however:

http://www.cisco.com/c/en/us/products/collateral/routers/asr-9000-series-aggregation-services-routers/eos-eol-notice-c51-737659.html

it does not make sense to purchase the VSM module for the IPsec operations because the IPsec support is going to be removed from the VSM altogether, and Cisco seems to recommend to move to a totally different router platform (ASR 1000) to act as an IPsec tunnel termination point.

It would seem that without this module, the box itself does not support IPsec, and Cisco is moving away from supporting IPsec on this platform for the future. My best guess...

Best regards,
Peter

0 Helpful

Go to solution
pj0503311
Level 1
Level 1
In response to Peter Paluch

‎08-12-2016 07:47 AM

I appreciate your willingness to help! I think you hit it on the head mentioning the VMS end of life and using the 1001 as a termination point. The more I look for info on how to do what I want to do the more I find on how it won't work. We have some 1001s we could use but we'll have to install them rather than using what we already have ready to go.

Thanks for your help!

0 Helpful

Go to solution
Peter Paluch
Cisco Employee
Cisco Employee
In response to pj0503311

‎08-13-2016 12:35 AM

Hi,

You are welcome! :)

Best regards,
Peter

0 Helpful
Customers Also Viewed These Support Documents
Review Cisco Networking for a $25 gift card