Buy or Renew
Buy or Renew
cancel
Turn on suggestions
Auto-suggest helps you quickly narrow down your search results by suggesting possible matches as you type.
Showing results for 
Search instead for 
Did you mean: 
cancel
Start a conversation
1673
Views
0
Helpful
4
Replies

%PUNT_INJECT-5-DROP_PUNT_CAUSE:

tarmahmood1
Level 1
Level 1

‎01-25-2024 02:35 AM

Hello,

I was trying to setup ipsec tunnel with remote device but i get this error. Same configs has worked with other location with same router model ISR4331. Any idea?

%IOSXE-5-PLATFORM: R0/0: cpp_cp: QFP:0.0 Thread:001 TS:00023818311620476832 %PUNT_INJECT-5-DROP_GLOBAL_POLICER: global punt policer drops packet from GigabitEthernet0

%IOSXE-5-PLATFORM: R0/0: cpp_cp: QFP:0.0 Thread:003 TS:00023818760985759936 %PUNT_INJECT-5-DROP_PUNT_CAUSE: punt policer drops packets, cause: for-us-ctrl (0x37) from GigabitEthernet0/0/1.100

%IOSXE-5-PLATFORM: R0/0: cpp_cp: QFP:0.0 Thread:001 TS:00023818311620476832 %PUNT_INJECT-5-DROP_GLOBAL_POLICER: global punt policer drops packet from GigabitEthernet0

%IOSXE-5-PLATFORM: R0/0: cpp_cp: QFP:0.0 Thread:003 TS:00023818760985759936 %PUNT_INJECT-5-DROP_PUNT_CAUSE: punt policer drops packets, cause: for-us-ctrl (0x37) from GigabitEthernet0/0/1.100

#sh platform resources

tarmahmood1_0-1706178512552.png

 

Cisco IOS Software [Amsterdam], ISR Software (X86_64_LINUX_IOSD-UNIVERSALK9-M), Version 17.3.5

 

 

 

 

Labels:
0 Helpful
4 Replies 4

Georg Pauwen
VIP
VIP

‎01-25-2024 03:03 AM

Hello,

the error message mentions the punt policer. You could try to disable the punt-keepalives and/or increase the rate limit:

4331(config)# platform punt-keepalive disable
4431(config)# platform punt-keepalive rate-limit <value>

0 Helpful

MHM Cisco World
VIP
VIP

‎01-25-2024 03:10 AM

Try first disable keepalive of isakmp 

If the error stop then config keepalive on demand 

This make IPSec not send a lot of keepalive 

MHM

0 Helpful

tarmahmood1
Level 1
Level 1

‎01-30-2024 07:02 AM

@Georg Pauwen @MHM Cisco World I did both suggestions you have told but it didnt worked. but the tunnel was not working due to the mismatching of IPs in keyring. so i have concluded these messages has nothing to do with tunnel setup to make the it up. Thank you for your input.

0 Helpful

paul driver
VIP
VIP

‎01-30-2024 11:34 AM

Hello
Possible bug - have/can you upgrade to a newer version of code 17.3.8a which seems to include a fix for a CVE vulnerability also.
Or maybe review this cco doc


Please rate and mark as an accepted solution if you have found any of the information provided useful.
This then could assist others on these forums to find a valuable answer and broadens the community’s global network.

Kind Regards
Paul
0 Helpful
Customers Also Viewed These Support Documents
Review Cisco Networking for a $25 gift card