10-18-2018 08:42 AM - edited 03-05-2019 10:59 AM
ASR1002-RP1
IOS version: asr1000rp1-adventerprisek9.03.16.08.S.155-3.S8-ext.bin
Hi everyone..
Just wondering if anyone else has experienced an issue with a ASR1002 crashing and rebooting upon application of a ipsec profile onto a tunnel.
Seem to consistently occur as soon as the interface attempts to change state..
Have managed to recreate this fault with just limited config on the ASR interfaces.
e.g.
interface g0/1/0
descripton InternetConnection
ip address a.a.a.a
tunnel 1
tunnel protection ipsec profile ipsec PROFILE1
tunnel source a.a.a.a
tunnel destination b.b.b.b
We are currently running version "asr1000rp1-adventerprisek9.03.16.08.S.155-3.S8-ext.bin" but have tried
3 previous software versions all with similar crashing results..
Any advice would be appreciated please.
10-18-2018 09:53 AM
hello @jonmo2578
Cisco guide is to use tunnel source with Interface, not with IP, and if you are using multiple tunnels, you must also include a tunnel key and the keyword shared after the protection if you are using same profile with other tunnels, usually there are weird results when it's accomplished differently, let me know it it works:
interface g0/1/0
descripton InternetConnection
ip address a.a.a.a
tunnel 1
tunnel source g0/1/0
tunnel destination b.b.b.b
tunnel protection ipsec profile ipsec PROFILE1 shared
tunnel key 1
10-19-2018 03:06 AM
Thanks for the reply @lespejel
I've just given this a go ( using physical interface as source ) and the router still immediately crashes/reboots as soon as I apply the profile into the tunnel as suggested. ( dont even get as far as applying the "tunnel key" command )
The config on the ASR is currently very minimal and the ipsec profile is not shared with anything else.
Guess we may be looking at a hardware fault, so i may take up with TAC now that I have the crash logs.
interface g0/1/0
descripton InternetConnection
ip address a.a.a.a
tunnel 1
tunnel source g0/1/0
tunnel destination b.b.b.b
tunnel protection ipsec profile ipsec PROFILE1 shared
10-19-2018 07:47 AM
I do not agree with the advice that you need to specify the tunnel source as the interface and not the IP address. I have configured and run many tunnels, some of them with IPSec profiles, specifying the source as the IP and have not had any problem with them. I do agree that the appropriate thing is to open a case with Cisco TAC. If you do this and get a solution from them please post back to the community and share what you found.
HTH
Rick
10-19-2018 11:23 AM
remove the tunnel completely and try again, tunnel key must match both sides.
As @Richard Burts says, you can use IP address, but recommendation is to use interface, configuration guides even mention to use a loopback to increase availability.
Tunnel key it's the value to identify multiple tunnels when a single source is used and relates packets to every GRE process.
10-19-2018 09:02 AM
Hello,
on a side note, the tunnel config looks incomplete, not sure if you have posted the entire configuration. Make sure you first configure:
tunnel mode ipsec ipv4
on the tunnel. Typically, a tunnel would look like this:
nterface Tunnel1
ip address x.x.x.x y.y.y.y
ip mtu 1400
ip tcp adjust-mss 1360
tunnel source GigabitEthernet0/0/0
tunnel mode ipsec ipv4
tunnel destination z.z.z.z
tunnel protection ipsec profile PROFILE1
Also, does this happen with both IKE and IKEv2 ?
12-04-2018 10:54 PM
I also faced the same issue. After I changed to advance enterprise image the issue got resolved.
Moreover I noticed that when you apply the command - crypto ipsec transform-set TSET esp-3des esp-md5-hmac, the router won't take ESP authentication part. It will show only crypto ipsec transform-set TSET esp-3des.
12-12-2018 08:06 AM
Thanks for the reply Manu
Interesting.. which software version are you currently running as the Advanced Enterprise images I have tried have all crashed..
Regards
Jon
12-12-2018 09:22 PM
Discover and save your favorite ideas. Come back to expert answers, step-by-step guides, recent topics, and more.
New here? Get started with these tips. How to use Community New member guide