05-22-2014 02:08 AM - edited 03-04-2019 11:01 PM
Using ASR1004 for DMVPN hubs, the crypto engine can't keep up with a single spoke router authentication (ISAKMP phase 1).
Hardware
PID: ASR1004
PID: ASR1000-SIP10
PID: SPA-10X1GE-V2
PID: ASR1000-RP1
PID: ASR1000-ESP10
DRAM: 4Gb
Image: asr1000rp1-adventerprisek9.03.07.04.S.152-4.S4.bin
IOS XE Version: 03.07.04.S
Debug ISAKMP and crypto engine output.
Timestamp: ISAKMP (0): received packet from X.Y.41.23 dport 500 sport 500 SECURE (N) NEW SA
Timestamp: ISAKMP: Created a peer struct for X.Y.41.23, peer port 500
Timestamp: ISAKMP: New peer created peer = 0x3D1464B0 peer_handle = 0x80000004
Timestamp: ISAKMP: Locking peer struct 0x3D1464B0, refcount 1 for crypto_isakmp_process_block
Timestamp: ISAKMP: local port 500, remote port 500
Timestamp: ISAKMP:(0):insert sa successfully sa = 41C29D18
Timestamp: ISAKMP:(0):Input = IKE_MESG_FROM_PEER, IKE_MM_EXCH
Timestamp: ISAKMP:(0):Old State = IKE_READY New State = IKE_R_MM1
Timestamp: ISAKMP:(0): processing SA payload. message ID = 0
Timestamp: ISAKMP : Scanning profiles for xauth ... SECURE_ISAKMP_BBP2 ISAKMP-TEST
Timestamp: ISAKMP:(0): IKE->PKI Get configured TrustPoints state (R) MM_NO_STATE (peer X.Y.41.23)
Timestamp: ISAKMP:(0): PKI->IKE Got configured TrustPoints state (R) MM_NO_STATE (peer X.Y.41.23)
Timestamp: ISAKMP:(0):Checking ISAKMP transform 1 against priority 10 policy
Timestamp: ISAKMP: encryption AES-CBC
Timestamp: ISAKMP: keylength of 256
Timestamp: ISAKMP: hash SHA256
Timestamp: ISAKMP: default group 5
Timestamp: ISAKMP: auth RSA sig
Timestamp: ISAKMP: life type in seconds
Timestamp: ISAKMP: life duration (VPI) of 0x0 0x1 0x51 0x80
Timestamp: ISAKMP:(0):atts are acceptable. Next payload is 0
Timestamp: ISAKMP:(0):Acceptable atts:actual life: 0
Timestamp: ISAKMP:(0):Acceptable atts:life: 0
Timestamp: ISAKMP:(0):Fill atts in sa vpi_length:4
Timestamp: ISAKMP:(0):Fill atts in sa life_in_seconds:86400
Timestamp: ISAKMP:(0): IKE->PKI Start PKI Session state (R) MM_NO_STATE (peer X.Y.41.23)
Timestamp: ISAKMP:(0): PKI->IKE Started PKI Session state (R) MM_NO_STATE (peer X.Y.41.23)
Timestamp: ISAKMP:(0):Returning Actual lifetime: 86400
Timestamp: ISAKMP:(0)::Started lifetime timer: 86400.
Timestamp: crypto_engine_select_crypto_engine: can't handle any more
Timestamp: crypto_engine_select_crypto_engine: can't handle any more
Timestamp: ISAKMP : Unable to allocate IKE SA
Timestamp: ISAKMP:(0):Input = IKE_MESG_INTERNAL, IKE_PROCESS_MAIN_MODE
Timestamp: ISAKMP:(0):Old State = IKE_R_MM1 New State = IKE_R_MM1
Timestamp: ISAKMP (0): incrementing error counter on sa, attempt 1 of 5: reset_retransmission
Timestamp: ISAKMP:(0):Input = IKE_MESG_INTERNAL, IKE_PROCESS_ERROR
Timestamp: ISAKMP:(0):Old State = IKE_R_MM1 New State = IKE_READY
Crypto Engine
crypto engine name: Cisco VPN Software Implementation
crypto engine type: software
serial number: 00000000
crypto engine state: installed
crypto engine in slot: N/A
platform: Cisco Software Crypto Engine
crypto lib version: 22.0.0
Crypto ELI
Hardware Encryption : ACTIVE
Number of hardware crypto engines = 1
CryptoEngine IOSXE-ESP(14) details: state = Active
Capability : DES, 3DES, AES, RSA, IPv6, GDOI, FAILCLOSE
IKE-Session : 0 active, 12287 max, 0 failed
DH : 0 active, 12287 max, 0 failed
IPSec-Session : 0 active, 32766 max, 0 failed
Why is the router crypto engine reporting that it can't handle any more and fails to allocate an IKE SA? I would like to know of any useful commands that might shed light on this.
I should also add that the 'license' keyword is unavailable.
ASR-1004#sh license ?
% Unrecognized command
ASR-1004(config)#license ?
% Unrecognized command
Thanks
John
05-28-2014 08:35 AM
I sorted it out by playing with the ISAKMP profile match statements eventually finding a certificate attribute that it liked.
Since there is no bug report to describe this scenario, the actual issue is still up in the air. Perhaps the debug needs refining to better explain any match issues.
Follow up:
Phase 2 failed initially, but this was due to a know bud whereby IPSec transform sets can not operate in mixed mode (AH and ESP).
Please see for more details.
Discover and save your favorite ideas. Come back to expert answers, step-by-step guides, recent topics, and more.
New here? Get started with these tips. How to use Community New member guide