Buy or Renew
Buy or Renew
cancel
Turn on suggestions
Auto-suggest helps you quickly narrow down your search results by suggesting possible matches as you type.
Showing results for 
Search instead for 
Did you mean: 
cancel
Start a conversation
1831
Views
0
Helpful
2
Replies

891F Remote Access IKEv2 - "Fail to alloc IP addr"

train_wreck
Level 1
Level 1

‎09-21-2016 03:02 AM - edited ‎02-21-2020 08:59 PM

Attempting to connect the Windows 10 IKEv2 VPN client to an 891F, with IKEv2 IPsec. I've got the following crypto config on an 891F:

crypto pki trustpoint Domain.com
 fqdn Domain.com
 revocation-check none
 rsakeypair Domain.com




crypto pki certificate map RemoteCertMap 10
 issuer-name co cn = my ca


crypto ikev2 authorization policy RemoteAuthPolicy
 pool RemoteClients
 route set interface

crypto ikev2 proposal default
 encryption aes-cbc-256
 integrity sha256
 group 2 21 20 14

crypto ikev2 policy default
 match fvrf any
 proposal default


crypto ikev2 profile RemoteProfile
 match certificate RemoteCertMap
 identity local dn
 authentication remote rsa-sig
 authentication local rsa-sig
 pki trustpoint Domain.com
 dpd 60 10 on-demand
 virtual-template 1


crypto ipsec transform-set MainTransformSet esp-aes
 mode tunnel

crypto ipsec profile RemoteProfile
 set transform-set MainTransformSet
 set pfs group14
 set ikev2-profile RemoteProfile


ip local pool RemoteClients 192.168.254.10 192.168.254.20

And am getting the following error in the debug output when I try to connect:

.

.

.

.
Sep 21 09:53:07.061: IKEv2:% DVTI create request sent for profile RemoteProfile with PSH index 5.
Sep 21 09:53:07.061: IKEv2:(SESSION ID = 41,SA ID = 5):
Sep 21 09:53:07.061: IPSEC(key_engine): got a queue event with 1 KMI message(s)
Sep 21 09:53:07.061: IKEv2:% DVTI Vi1 created for profile RemoteProfile with PSH index 5.
Sep 21 09:53:07.061: IKEv2:(SESSION ID = 41,SA ID = 5):: Fail to alloc IP addr
Sep 21 09:53:07.061: IKEv2:(SESSION ID = 41,SA ID = 5):Fail to alloc IP addr

.

.

.

.

The Win10 client reports "Error in assigning inner IP address to initiator in tunnel mode". I see the same error message with the Windows 7 client as well.

Any ideas what's happening here? "Fail to alloc IP addr" is a pretty obscure error: in quotes on Google it turns up only 3 results, suggesting that the message is sent when the IP address pool is full (it is not, there are no clients).....

Labels:
0 Helpful
2 Replies 2

train_wreck
Level 1
Level 1

‎09-26-2016 11:20 PM

Hello, anyone? This is a pretty barebones simple setup, not really sure why it isn't working, and this log output doesn't give me anything to work with............. Surely IPsec remote access is old hat for Cisco today? (btw, I've tried setting up an IKEv1 version of this, and am getting the same error "Failed to alloc IP addr" and also "INTERNAL_ADDRESS_FAILURE".......)

I found this link to a bug that mentions this error, but it's not for the ISR devices...

https://bst.cloudapps.cisco.com/bugsearch/bug/CSCut50655/?referring_site=bugquickviewredir

0 Helpful

train_wreck
Level 1
Level 1
In response to train_wreck

‎10-14-2016 12:25 AM

....................

still having issue here, and there is virtually no information about "Fail to alloc ip addr" or "INTERNAL_ADDRESS_FAILURE"..... does the 891 even officially support IKEv2????

0 Helpful
Customers Also Viewed These Support Documents