Showing results for 
Search instead for 
Did you mean: 

ASA5505 site-to-site vpn is down "ERROR: CTM ipsec "

Level 1
Level 1



I have a cisco ASA5505 branch and configured with site-to-site VPN with ASA5512 HQ, VPN is teardown and it is not coming up active after a system crash. When I issue "no crypto ikev1 enable outside" it showing "ERROR: CTM ipsec poll ctl DU_IOCTL_SUSPEND_POLL ioctl failed."

and once I issue "crypto ikev1 enable outside" it showing "ERROR: CTM ipsec poll ctl DU_IOCTL_RESUME_POLL ioctl failed."

Please help on this to sort it out.

I have updated the IOS to   Ver 9.1.1





8 Replies 8

Level 1
Level 1

Hi Joses,


Have you got this issue resolved? I have the same issue. But using GNS3. Not sure if its an issue within GNS3 or some kind of Kernel issue.



Smith Joseph

Level 1
Level 1



I have exactly the same problem on two ASA5510 manifested immediately after the firmware update from asa916-8-k8.bin to the latest version (asa917-32-k8.bin).

I tried to downgrade to the original version, and even to 8.4.31, but the error (ERROR: CTM ipsec poll ctl DU_IOCTL_RESUME_POLL ioctl failed.) Occurs at startup, when the two lines are reloaded from startup-config " crypto ikev1 enable outside "and" crypto ikev2 enable outside ".

I tried to format the flash and to reload the firmware from scratch, the configuration (I had to also reload the license keys), but the error always appears.


Evidently the update at 9.1 (7) -32 wrote something in a non-volatile memory that is not deleted or overwritten by downgrading ....


It 'a very serious fact for the reputation of Cisco devices: if for security reasons I have to upgrade the software and this makes the equipment useless because even a downgrade is useless, what do I do? Throw two 5510 in the trash? And with what anxiety will I make a software update again?


Does anyone know if there is any possibility of opening a TAC case, given that the 9.1 (7) -32 update is dated September 2018, despite the 5510 being in EOL?


Thanks in advance....

Thanks for your support!
Unfortunately, my equipment is not under a service contract, because I assumed that two devices would be sufficient to deal with any breakdowns.
And *I was convinced* that a possible problem with a software update would be solved by making a rollback.

This is a blow to the trust I have always placed in Cisco, but that I will not be able to have in the future....



Man I can feel for you. Sorry to hear for the disappointment 

please do not forget to rate.

What happens when you bypass any config by using this register command in rommon ? 


To update the configuration register value,


Enter the following command:

rommon #1> confreg 0x41


To boot with fresh config:

rommon #2> boot


Enter the configuration again and see what happens , i know there is a hidden partition on the flash for the license keys , perhaps something extra is set there after the software upgrade ?


Perhaps try another flash card , format in the outside CF slot and copy a lower image to it , save the license keys and take out the internal CF card (it is just a CF card inside) then boot the ASA and insert the activation key again. 


Perhaps this helps , not all CF are supported i know. 


edsge teenstra
Level 1
Level 1

Hi Did you solve this ?


Perhaps you can set the config register to bypass configuration to see what happens , also perhaps compare a working ASA5505 ASA5510 rommon settings to find a difference. 

Level 1
Level 1

This is because of the bug in the image you are using try changing it to another image