Buy or Renew
Buy or Renew
cancel
Turn on suggestions
Auto-suggest helps you quickly narrow down your search results by suggesting possible matches as you type.
Showing results for 
Search instead for 
Did you mean: 
cancel
Start a conversation
1635
Views
0
Helpful
5
Replies

ISR4431 version that supports crypto map on port-channel

rramish06
Level 1
Level 1

‎12-05-2024 10:52 PM

Hi. I currently have a crypto map applied to a port-channel on my ISR4431 which has a very outdated software version 03.16.04b.S. I want to upgrade it to a newer version, however I noticed that on newer versions crypto maps aren't supported on port-channels: "Currently only GDOI crypto map is supported on tunnel or port-channel interface"

Does anyone have information on which version is the latest that supports crypto maps on port-channels? As migrating to VTIs is not an option.

Thanks in advance.

Labels:
0 Helpful
5 Replies 5

Kasun Bandara
VIP
VIP

‎12-05-2024 11:31 PM

@rramish06 hi,

check this thread. 

2911 Router Mitigation 4431 Router Cyrpto Map - Cisco Community

currently recommended version for this router is 17.12.4 or 17.9.5a

Software Download - Cisco Systems

Please rate this and mark as solution/answer, if this resolved your issue
Good luck
KB
0 Helpful

marce1000
Hall of Fame
Hall of Fame

‎12-06-2024 12:01 AM

 

  - FYI : https://www.cisco.com/c/en/us/products/collateral/ios-nx-os-software/ios-xe-17/bulletin-c25-744830.html

 M.



-- Each morning when I wake up and look into the mirror I always say ' Why am I so brilliant ? '
    When the mirror will then always repond to me with ' The only thing that exceeds your brilliance is your beauty! '
0 Helpful

M02@rt37
VIP
VIP

‎12-06-2024 07:13 AM

Hello @rramish06 

The ISR 4431 is running Cisco IOS XE software, and the use of crypto maps on port-channels has been deprecated in favor of modern approaches like VTIs.

Virtual Tunnel Interfaces are a more modern and flexible solution for establishing VPN tunnels compared to traditional crypto maps, especially when used with port-channels. With VTIs, you can create a point-to-point VPN tunnel that can be applied to a physical interface or even a logical interface like a port-channel. This eliminates the limitations that come with using crypto maps on port-channels...

 

Best regards
.ı|ı.ı|ı. If This Helps, Please Rate .ı|ı.ı|ı.
0 Helpful

stephan.l.martin1
Level 1
Level 1

‎12-06-2024 07:35 AM

Greetings!

Offering up a potential modification: have you looked at potentially converting to BDI interfaces? Not sure if the support for crytpo maps is supported but the link aggregation mechanism is similar and comparible with port channels. 

hope this helps.

0 Helpful

Leo Laohoo
Hall of Fame
Hall of Fame

‎12-06-2024 04:01 PM - edited ‎12-06-2024 05:00 PM

WARNING:  

The router is currently on 3.16.X and there is a possibility of upgrading to 17.12.X (and later).  So consider the following: 

  1. Read up CSCvi80270.  If the router is pushing "full throttle", upgrading away from 3.16.X might see the router grind to a halt because the throughput bug is fixed after 3.16.X.
  2. Upgrading from 3.16.X will require a ROMMON upgrade.  Failure to do so will cause the router go into a boot-crash-loop.  
  3. Even with the ROMMON upgrade (item #2) it is not possible (if not risky) to conduct a direct upgrade to 17.12.X without going through an intermediate release like 17.6.X or 17.9.X.  This is because 17.12.X requires ROMMON version 17.5(1r) which is not a downloadable upgrade.  Instead, ROMMON version 17.5(1r) is "rolled into" 17.6.X and 17.9.X only but not in 17.12.X.  A direct upgrade may result in the router going into a boot-crash-loop.  This information is not documented by Cisco.  

Please read this:  Cisco ISR & ASR 1k Routers: IOS-XE/Firmware Upgrade (Install Mode)

The steps are: 

  1. Manually upgrade the ROMMON to, say, 17.3(1r).  
  2. DO NOT REBOOT the router.
  3. Upgrade to 17.6.X or 17.9.X. 
  4. Reboot the router
  5. Upgrade to 17.12.X.
  6. Reboot the router.

 

0 Helpful
Customers Also Viewed These Support Documents