Using ASR1004 for DMVPN hubs, the crypto engine can't keep up with a single spoke router authentication (ISAKMP phase 1).
Hardware
PID: ASR1004
PID: ASR1000-SIP10
PID: SPA-10X1GE-V2
PID: ASR1000-RP1
PID: ASR1000-ESP10
DRAM: 4Gb
Image: asr1000rp1-adventerprisek9.03.07.04.S.152-4.S4.bin
IOS XE Version: 03.07.04.S
Debug ISAKMP and crypto engine output.
Timestamp: ISAKMP (0): received packet from X.Y.41.23 dport 500 sport 500 SECURE (N) NEW SA
Timestamp: ISAKMP: Created a peer struct for X.Y.41.23, peer port 500
Timestamp: ISAKMP: New peer created peer = 0x3D1464B0 peer_handle = 0x80000004
Timestamp: ISAKMP: Locking peer struct 0x3D1464B0, refcount 1 for crypto_isakmp_process_block
Timestamp: ISAKMP: local port 500, remote port 500
Timestamp: ISAKMP:(0):insert sa successfully sa = 41C29D18
Timestamp: ISAKMP:(0):Input = IKE_MESG_FROM_PEER, IKE_MM_EXCH
Timestamp: ISAKMP:(0):Old State = IKE_READY New State = IKE_R_MM1
Timestamp: ISAKMP:(0): processing SA payload. message ID = 0
Timestamp: ISAKMP : Scanning profiles for xauth ... SECURE_ISAKMP_BBP2 ISAKMP-TEST
Timestamp: ISAKMP:(0): IKE->PKI Get configured TrustPoints state (R) MM_NO_STATE (peer X.Y.41.23)
Timestamp: ISAKMP:(0): PKI->IKE Got configured TrustPoints state (R) MM_NO_STATE (peer X.Y.41.23)
Timestamp: ISAKMP:(0):Checking ISAKMP transform 1 against priority 10 policy
Timestamp: ISAKMP: encryption AES-CBC
Timestamp: ISAKMP: keylength of 256
Timestamp: ISAKMP: hash SHA256
Timestamp: ISAKMP: default group 5
Timestamp: ISAKMP: auth RSA sig
Timestamp: ISAKMP: life type in seconds
Timestamp: ISAKMP: life duration (VPI) of 0x0 0x1 0x51 0x80
Timestamp: ISAKMP:(0):atts are acceptable. Next payload is 0
Timestamp: ISAKMP:(0):Acceptable atts:actual life: 0
Timestamp: ISAKMP:(0):Acceptable atts:life: 0
Timestamp: ISAKMP:(0):Fill atts in sa vpi_length:4
Timestamp: ISAKMP:(0):Fill atts in sa life_in_seconds:86400
Timestamp: ISAKMP:(0): IKE->PKI Start PKI Session state (R) MM_NO_STATE (peer X.Y.41.23)
Timestamp: ISAKMP:(0): PKI->IKE Started PKI Session state (R) MM_NO_STATE (peer X.Y.41.23)
Timestamp: ISAKMP:(0):Returning Actual lifetime: 86400
Timestamp: ISAKMP:(0)::Started lifetime timer: 86400.
Timestamp: crypto_engine_select_crypto_engine: can't handle any more
Timestamp: crypto_engine_select_crypto_engine: can't handle any more
Timestamp: ISAKMP : Unable to allocate IKE SA
Timestamp: ISAKMP:(0):Input = IKE_MESG_INTERNAL, IKE_PROCESS_MAIN_MODE
Timestamp: ISAKMP:(0):Old State = IKE_R_MM1 New State = IKE_R_MM1
Timestamp: ISAKMP (0): incrementing error counter on sa, attempt 1 of 5: reset_retransmission
Timestamp: ISAKMP:(0):Input = IKE_MESG_INTERNAL, IKE_PROCESS_ERROR
Timestamp: ISAKMP:(0):Old State = IKE_R_MM1 New State = IKE_READY
Crypto Engine
crypto engine name: Cisco VPN Software Implementation
crypto engine type: software
serial number: 00000000
crypto engine state: installed
crypto engine in slot: N/A
platform: Cisco Software Crypto Engine
crypto lib version: 22.0.0
Crypto ELI
Hardware Encryption : ACTIVE
Number of hardware crypto engines = 1
CryptoEngine IOSXE-ESP(14) details: state = Active
Capability : DES, 3DES, AES, RSA, IPv6, GDOI, FAILCLOSE
IKE-Session : 0 active, 12287 max, 0 failed
DH : 0 active, 12287 max, 0 failed
IPSec-Session : 0 active, 32766 max, 0 failed
Why is the router crypto engine reporting that it can't handle any more and fails to allocate an IKE SA? I would like to know of any useful commands that might shed light on this.
I should also add that the 'license' keyword is unavailable.
ASR-1004#sh license ?
% Unrecognized command
ASR-1004(config)#license ?
% Unrecognized command
Thanks
John
