05-27-2008 02:04 AM - edited 03-05-2019 11:14 PM
Hello All,
I have a complex design using IPSec tunnels to connect remote users. The IPSec tunnels to the devices work, however occasionally they drop. When the IPSec tunnels drop I seem to be getting the follow error being logged with ISAKMP and IPSec debugging turned on. I can find no reference to it anywhere on the Cisco Site. The error reads:
ISAKMP: Trying to decrement ipsec count below 0
This is logged a few times then I see:
ISAKMP:(0:4:SW:1):deleting SA reason "Death by retransmission throw" state (R) QM_IDLE (peer xx.xx.xx.xx)
Which I suspect is where the IPSec link is getting reset.
Can anyone explain to me what this means, and/or why this is happening?
I can't post configs etc. as this is relating to a military installation.
Thanks for any advice.
06-02-2008 06:04 AM
For the message âISAKMP: Trying to decrement ipsec count below 0â Refer the bug CSCeg44021.
For the troubleshooting the Ipsec follow the URL which will help you :
http://www.cisco.com/en/US/tech/tk583/tk372/technologies_tech_note09186a00800949c5.shtml
06-02-2008 06:30 AM
Thank you for the response, however it doesn't really help as when I go into the bug toolkit I receive the following message :
CSCeg44021 has been superseded by CSCeb03160 displayed below.
CSCeb03160 Bug Details
Information contained within bug ID CSCeb03160 is only available to Cisco employees. It is our policy to make all externally-facing bugs available in Bug Toolkit so the system administrators have been automatically alerted to the problem.
We are not using Cisco VPN clients but have windows devices configured to use local IP policies using secpol.msc. The IPSec tunnels to devices set up and run ok, however they drop out as a group (those using the same map) after a period of time. The only errors seen in the error log which seem to be relevant are those that I've previously listed. The Cisco (home) end of the tunnels is a 2811 running IOS 12.4 advanced IP services. A loopback address is used for the IPSec tunnel endpoint as each site is connected via GRE tunnels to a site 2811. The far end (site) router is not configured for IPSec, and the secured traffic passes to the devices attached to the LAN beyond this router.
I have a total of 24 IPsec tunnels defined, as groups of four over six sites. Each group of far-end devices share a pre-shared key, ACLs and mapping information.
Any further information/assistance would be appreciated, as I am still non the wiser as to what the decrement error means.
Discover and save your favorite ideas. Come back to expert answers, step-by-step guides, recent topics, and more.
New here? Get started with these tips. How to use Community New member guide