- Mark as New
- Bookmark
- Subscribe
- Mute
- Subscribe to RSS Feed
- Permalink
- Report Inappropriate Content
10-03-2022 08:22 AM - edited 10-27-2023 04:28 AM
Hello EXperts,
We have issue at one of our Cutomer Router (C1111-4p) , where we have Set Tunel 0 with Ipsec , with VTI tunnel on remote side, Suddenly tunnel is down(was working eralier) , reachability is fine form both end , no ACL in path . We can not raise TAC due to device is not under any contract . below is debug , please help to resolve this issue
Solved! Go to Solution.
- Labels:
-
IPSEC
Accepted Solutions
- Mark as New
- Bookmark
- Subscribe
- Mute
- Subscribe to RSS Feed
- Permalink
- Report Inappropriate Content
10-06-2022 08:22 AM
https://quickview.cloudapps.cisco.com/quickview/bug/CSCvx74212
this I think is bug
System Resource Limit: 0 <<- this not Zero
sorry for late reply and check the bug detail
- Mark as New
- Bookmark
- Subscribe
- Mute
- Subscribe to RSS Feed
- Permalink
- Report Inappropriate Content
10-03-2022 08:27 AM
you need to config PFS in Phase2 of IKEv2 to make tunnel build child crypto
- Mark as New
- Bookmark
- Subscribe
- Mute
- Subscribe to RSS Feed
- Permalink
- Report Inappropriate Content
10-03-2022 09:34 AM - edited 10-27-2023 04:29 AM
Thanks , but I guess its already there ,
- Mark as New
- Bookmark
- Subscribe
- Mute
- Subscribe to RSS Feed
- Permalink
- Report Inappropriate Content
10-03-2022 09:36 AM
OK,
other side use same PFS group 16 ?
what is ver. you run in your router ?
- Mark as New
- Bookmark
- Subscribe
- Mute
- Subscribe to RSS Feed
- Permalink
- Report Inappropriate Content
10-04-2022 02:21 AM
Yes Other side is also using same PFS group 16 ,
Version - Cisco IOS XE Software, Version 16.09.05
c1100-universalk9_ias.16.09.05.SPA.bin
- Mark as New
- Bookmark
- Subscribe
- Mute
- Subscribe to RSS Feed
- Permalink
- Report Inappropriate Content
10-03-2022 12:54 PM - edited 10-03-2022 12:58 PM
Oct 3 14:09:42: %IKEV2-3-NEG_ABORT: Negotiation aborted due to ERROR: Maximum number of retransmissions reached
Responder SPI : 0000000000000000 Message id: 0
seems like the remote router is acting as duck. does not respond to your control plane messages.
Is there a cert invlove and is it still vaild? could you run the command debug crypto pki transactions and show the output. does remote side did a cert-renewal if they did you have root and inter cert. I have seem similar issues where
*Oct 3 14:09:42.404: IKEv2:(SESSION ID = 16,SA ID = 1):Abort exchange
*Oct 3 14:09:42.405: IKEv2:(SESSION ID = 16,SA ID = 1):Deleting SA
*Oct 3 14:09:42.405: IKEv2:(SA ID = 1):[IKEv2 -> PKI] Close PKI Session
*Oct 3 14:09:42.405: IKEv2:(SA ID = 1):[PKI -> IKEv2] Closing of PKI Session PASSED
the remote side did a cert renewal with same CA but issue occured due to different CA chain (for example Inter-CA) is different.
- Mark as New
- Bookmark
- Subscribe
- Mute
- Subscribe to RSS Feed
- Permalink
- Report Inappropriate Content
10-04-2022 02:19 AM - edited 10-27-2023 04:30 AM
Thanks , I have tried to renew the certificate , but still having same issue.
- Mark as New
- Bookmark
- Subscribe
- Mute
- Subscribe to RSS Feed
- Permalink
- Report Inappropriate Content
10-04-2022 03:05 AM
as the process of elimination could you put both routers as PSK and take off the PKI cert and test it?
- Mark as New
- Bookmark
- Subscribe
- Mute
- Subscribe to RSS Feed
- Permalink
- Report Inappropriate Content
10-04-2022 04:22 AM
unfortunately i can't do this , due to limited access of customer HUB end router ..
- Mark as New
- Bookmark
- Subscribe
- Mute
- Subscribe to RSS Feed
- Permalink
- Report Inappropriate Content
10-04-2022 03:12 AM
R# show crypto call admission statistics
share output here
- Mark as New
- Bookmark
- Subscribe
- Mute
- Subscribe to RSS Feed
- Permalink
- Report Inappropriate Content
10-04-2022 04:20 AM - edited 10-27-2023 04:31 AM
Not possible !!
- Mark as New
- Bookmark
- Subscribe
- Mute
- Subscribe to RSS Feed
- Permalink
- Report Inappropriate Content
10-06-2022 08:22 AM
https://quickview.cloudapps.cisco.com/quickview/bug/CSCvx74212
this I think is bug
System Resource Limit: 0 <<- this not Zero
sorry for late reply and check the bug detail
- Mark as New
- Bookmark
- Subscribe
- Mute
- Subscribe to RSS Feed
- Permalink
- Report Inappropriate Content
10-06-2022 09:39 AM
Hey MHM,
Tried , Given Workaround on given bug ,( Reload & Increasing CAC limit) but no Luck !!!
However We tried to Remove and Recreate the Pre-Shared key , and it resolved the issue !
Not sure how it worked but finally issue is resolved for me
