Bad range <1-0> for command 'crypto ikev2 limit max-in-negotiation-sa

Matteo Cannizzo · ‎02-25-2025

Hello Team,
We upgraded our Firepwer 4110 Logical MultiContext ASA from 9.12 to 9.18.4.50
After the successfull Update we are facing this alert :

%ASA-1-111111: Bad range <1-0> for command 'crypto ikev2 limit max-in-negotiation-sa value '

We have a multicontext VPN that we have setted to 100% of the FW resources to negotiate ikev2 tunnels.

We executed "crypto ikev2 limit max-in-negotiation-sa value 0" on all other Context but the Warning is still present.

We opened a TAC case to further analyze this issue. It turns out we are facing a cosmetic bug : https://bst.cloudapps.cisco.com/bugsearch/bug/CSCvj87111

The only solution seems to be executing the command : no logging message 111111

But message ID 111111 is a generic error related to ASA System or Infrastracture so we can't proceed neither with this solution :

111111
Error Message % ASA-1-111111 error_message
Explanation A system or infrastructure error has occurred.
Recommended Action If the problem persists, contact the Cisco TAC.

Is there any other solution to resolve this issue?

Best Regards,
Matteo.

Sheraz.Salim · ‎02-26-2025

An alternative approach to mitigate this issue would be to adjust the IKEv2 SA negotiation Instead of setting the value to 0, try using a small number (integer, such as 1 or 2) in the command: "crypto ikev2 limit max-in-negotiation-sa 1". This may help avoid triggering the alert while still allowing your VPN to function properly. If the issue persists, you may need to consider temporarily living with the alert until a (patch/new version software fix released,)or explore the possibility of rolling back to a previous ASA version if the alert is causing significant operational concerns.

please do not forget to rate.