07-09-2012 06:44 PM
Does anyone know what Cisco is talking about here:
IPSec tunnel fails to establish on ASR due to invalid SPI (SPI leak) | |
Symptoms: IPsec SAs fail to form with an ASR and we see errors in the log similar to%ACE-3-TRANSERR: ASR1000-ESP(14): IKEA trans 0xXXX; opcode 0x60; param 0xXXXX; error 0xA; retry cnt 0To confirm if you are hitting this bug run the command show crypto ace spi and look for "Normal SPI allocated .................61440" |
Well, the command "show crypto ace spi" does not exist on my ASR router and I am running the "defective" version that Cisco stated in the bug ID.
Don't these guys QA their work before putting it into the database?
ASR1002#sh crypto ?
call Show crypto call admission info
debug-condition Debug Condition filters
dynamic-map Crypto map templates
eli Encryption Layer Interface
engine Show crypto engine info
gdoi Show crypto gdoi
ha Crypto High Availability information
identity Show crypto identity list
ipsec Show IPSEC policy
isakmp Show ISAKMP
key Show long term public keys
map Crypto maps
mib Show Crypto-related MIB Parameters
optional Optional Encryption Status
pki Show PKI
route Show crypto VPN routes
ruleset Show crypto rules on outgoing packets
session Show crypto sessions (tunnels)
sockets Secure Socket Information
tech-support Displays relevant crypto information
ASR1002#sh crypto
07-10-2012 04:04 AM
Upon further review, this is a "hidden" command by Cisco. You have to type in the whole command:
show crypto ace spi
07-10-2012 10:48 AM
Hi David,
I am glad to see that you already found the problem, in case you are hitting the bug, you could upgrade to:
Fixed-In
15.0(1)S
15.1(0.2)S
15.0(0.13)S0.7
15.1(0.8)S
15.1(2.3.2)PIB15
15.1(2.19)PI15
15.1(2.19.5)PIA15
15.1(0.0.15)PIL15
15.1(2.19.4)PIC15
15.1(3.6)T
15.1(1)SG5.5
15.1(1)SG5.6
15.1(1)MP1.27
15.1(1)SG5.25.1
15.1(1)WS0.32
15.1(1)SG5.78.11
15.1(1)SG5.98
15.1(1)SG5.103
15.1(1)SG5.124
15.1(1)SG5.163
15.1(1)SG5.169
15.1(1)SG5.170
15.0(5.21)SID
15.1(1)SD5.1
15.0(5.2)DPB35
As you may already know, all this information can be found in this link:
Please mark this post as resolved if you do not have any further questions.
Thanks
07-10-2012 12:47 PM
No wonder you work for Cisco. The solution is typically "reload" and/or upgrade
Cisco is becoming more and more like Microsoft. In other words, "reload" will fix the problem. Otherwise, upgrade
07-10-2012 12:56 PM
David,
In this case I just answered based on your description.
We are committed to performing advance troubleshooting in order to answer / fix any problem you may experience.
I apologize if in this case the solution does not involve any troubleshooting.
Please keep posting your questions, we will be glad to help you out.
07-10-2012 04:21 PM
I have a follow up question. According to the toolkit release note, it is fixed in the following code:
15.0(1)S
15.1(0.2)S
15.0(0.13)S0.7
15.1(0.8)S
15.1(2.3.2)PIB15
15.1(2.19)PI15
15.1(2.19.5)PIA15
15.1(0.0.15)PIL15
15.1(2.19.4)PIC15
15.1(3.6)T
15.1(1)SG5.5
15.1(1)SG5.6
15.1(1)MP1.27
15.1(1)SG5.25.1
15.1(1)WS0.32
15.1(1)SG5.78.11
15.1(1)SG5.98
15.1(1)SG5.103
15.1(1)SG5.124
15.1(1)SG5.163
15.1(1)SG5.169
15.1(1)SG5.170
15.0(5.21)SID
15.1(1)SD5.1
15.0(5.2)DPB35
Does it mean that if I am running 15.1(3)S2/3.4.2S, this bug is still there because only 15.1(3.6)T is listed as fixed?
is that the correct assumption?
Discover and save your favorite ideas. Come back to expert answers, step-by-step guides, recent topics, and more.
New here? Get started with these tips. How to use Community New member guide