Re: ASR1002 crashes/reboots when applying IPsec Profile on tunnel ?

jonmo2578 · ‎10-18-2018

ASR1002-RP1
IOS version: asr1000rp1-adventerprisek9.03.16.08.S.155-3.S8-ext.bin

Hi everyone..

Just wondering if anyone else has experienced an issue with a ASR1002 crashing and rebooting upon application of a ipsec profile onto a tunnel.

Seem to consistently occur as soon as the interface attempts to change state..

Have managed to recreate this fault with just limited config on the ASR interfaces.

e.g.

interface g0/1/0

descripton InternetConnection

ip address a.a.a.a

tunnel 1

tunnel protection ipsec profile ipsec PROFILE1

tunnel source a.a.a.a

tunnel destination b.b.b.b

We are currently running version "asr1000rp1-adventerprisek9.03.16.08.S.155-3.S8-ext.bin" but have tried

3 previous software versions all with similar crashing results..

Any advice would be appreciated please.

lespejel · ‎10-18-2018

hello @jonmo2578

Cisco guide is to use tunnel source with Interface, not with IP, and if you are using multiple tunnels, you must also include a tunnel key and the keyword shared after the protection if you are using same profile with other tunnels, usually there are weird results when it's accomplished differently, let me know it it works:

interface g0/1/0
descripton InternetConnection
ip address a.a.a.a

tunnel 1
tunnel source g0/1/0
tunnel destination b.b.b.b
tunnel protection ipsec profile ipsec PROFILE1 shared
tunnel key 1

CCIE 52804

jonmo2578 · ‎10-19-2018

Thanks for the reply @lespejel

I've just given this a go ( using physical interface as source ) and the router still immediately crashes/reboots as soon as I apply the profile into the tunnel as suggested. ( dont even get as far as applying the "tunnel key" command )

The config on the ASR is currently very minimal and the ipsec profile is not shared with anything else.

Guess we may be looking at a hardware fault, so i may take up with TAC now that I have the crash logs.

interface g0/1/0
descripton InternetConnection
ip address a.a.a.a

tunnel 1
tunnel source g0/1/0
tunnel destination b.b.b.b
tunnel protection ipsec profile ipsec PROFILE1 shared

Richard Burts · ‎10-19-2018

I do not agree with the advice that you need to specify the tunnel source as the interface and not the IP address. I have configured and run many tunnels, some of them with IPSec profiles, specifying the source as the IP and have not had any problem with them. I do agree that the appropriate thing is to open a case with Cisco TAC. If you do this and get a solution from them please post back to the community and share what you found.

HTH

Rick

HTH

Rick

lespejel · ‎10-19-2018

@jonmo2578

remove the tunnel completely and try again, tunnel key must match both sides.

As @Richard Burts says, you can use IP address, but recommendation is to use interface, configuration guides even mention to use a loopback to increase availability.

Tunnel key it's the value to identify multiple tunnels when a single source is used and relates packets to every GRE process.

CCIE 52804

Georg Pauwen · ‎10-19-2018

Hello,

on a side note, the tunnel config looks incomplete, not sure if you have posted the entire configuration. Make sure you first configure:

tunnel mode ipsec ipv4

on the tunnel. Typically, a tunnel would look like this:

nterface Tunnel1
ip address x.x.x.x y.y.y.y
ip mtu 1400
ip tcp adjust-mss 1360
tunnel source GigabitEthernet0/0/0
tunnel mode ipsec ipv4
tunnel destination z.z.z.z
tunnel protection ipsec profile PROFILE1

Also, does this happen with both IKE and IKEv2 ?

Manu Shankar · ‎12-04-2018

I also faced the same issue. After I changed to advance enterprise image the issue got resolved.

Moreover I noticed that when you apply the command - crypto ipsec transform-set TSET esp-3des esp-md5-hmac, the router won't take ESP authentication part. It will show only crypto ipsec transform-set TSET esp-3des.

jonmo2578 · ‎12-12-2018

Thanks for the reply Manu

Interesting.. which software version are you currently running as the Advanced Enterprise images I have tried have all crashed..

Regards

Jon

Manu Shankar · ‎12-12-2018

I use ADVENTERPRISEK9-M), Version 15.2(2.3)T. FYI.. i tested it in the virtual lab using EVE software. I observed the router rebooting when using 'ipbasek9' image.