IKE SA LIMIT REACHED

andrewdours · ‎01-23-2024

Many of our DMVPN spoke routers end up with this issue from time to time. I don't know of a way to command line clear this where the tunnel will come back up. The only thing I know that will work is to reboot the router. Anyone out there know a better way?

%CRYPTO-4-IKE_DENY_SA_REQ: IKE denied an IKE OUTGOING SA request from 192.168.4.21 to 74.x.x.x due to IKE SA LIMIT REACHED

MHM Cisco World · ‎01-23-2024

https://www.cisco.com/c/en/us/td/docs/ios-xml/ios/sec_conn_ikevpn/configuration/15-mt/sec-ike-for-ipsec-vpns-15-mt-book/sec-call-addmsn-ike.html

Check this

But before set limit share

show crypto call admission statistics

Let me check it

MHM

tvotna · ‎01-23-2024

Do you see this when you hit the platform limit for the number of IKE SA, e.g. due to spoke-to-spoke tunnels created, or you believe that you don't hit the platform limit and there is a Call Admission Control counter leak somewhere inside the software?

I assume this is IKEv1, right?

When this happens, collect few outputs to know real number of tunnels:

show crypto call admission statistics
show crypto eli
show crypto isakmp sa count

For IKEv2 there is another command instead of "show crypto call admission limit":

show crypto ikev2 stats

Do you have IKEv1 tunnels on the box in IKE Aggressive Mode? What's the platform and software version?

andrewdours · ‎02-19-2024

We have 881 routers right now. Upgrading to the 921 routers. Some sites have 4000 series routers.

Running ikev1. The encryption is pretty basic. Not sure if this is aggressive or not.

a-wilson-r881#show call admission statistics
Total call admission charges: 52, limit 0
Total calls rejected 0, accepted 0
Load metric: charge 52, unscaled 52%

a-wilson-r881#show crypto call admission statistics
---------------------------------------------------------------------
Crypto Call Admission Control Statistics
---------------------------------------------------------------------
System Resource Limit: 0 Max IKE SAs: 30 Max in nego: 30
Total IKE SA Count: 30 active: 29 negotiating: 1
Incoming IKE Requests: 22 accepted: 14 rejected: 8
Outgoing IKE Requests: 16158 accepted: 13191 rejected: 2967
Rejected IKE Requests: 2975 rsrc low: 0 Active SA limit: 2975
In-neg SA limit: 0
IKE packets dropped at dispatch: 0

Max IPSEC SAs: 0
Total IPSEC SA Count: 1 active: 1 negotiating: 0
Incoming IPSEC Requests: 233 accepted: 233 rejected: 0
Outgoing IPSEC Requests: 280 accepted: 280 rejected: 0

Phase1.5 SAs under negotiation: 0

a-wilson-r881#show crypto eli
Hardware Encryption : ACTIVE
Number of hardware crypto engines = 1

CryptoEngine Onboard VPN details: state = Active
Capability : IPPCP, DES, 3DES, AES, IPv6, GDOI, FAILCLOSE

IPSec-Session : 2 active, 100 max, 0 failed

a-wilson-r881#show crypto isakmp sa count
Active ISAKMP SA's: 1
Standby ISAKMP SA's: 0
Currently being negotiated ISAKMP SA's: 1
Dead ISAKMP SA's: 1

crypto isakmp policy 10
encr aes
group 5
lifetime 7200
crypto isakmp keepalive 10 5 periodic
crypto isakmp profile DMVPN-ISAKMP
match identity address 0.0.0.0
match identity host domain x.x.com
keepalive 10 retry 3
!
crypto ipsec security-association replay window-size 1024
!
crypto ipsec transform-set aes-set esp-aes esp-sha-hmac
mode transport require
crypto ipsec fragmentation after-encryption
!
crypto ipsec profile DMVPN-Profile
set transform-set aes-set
set isakmp-profile DMVPN-ISAKMP
!
!
!
crypto call admission limit ike sa 30
!
crypto call admission limit ike in-negotiation-sa 30

Thanks,

Andrew

balaji.bandi · ‎01-23-2024

1. Do you have access to HUB side check any Limit sessions

show crypto call admission statistics

2. on the Spoke Router - do you have connection stable to connect to Hub ?

3. what other Logs you see other than one log ?

you can clear the crypto rather reboot - that should also work.

clear crypto isakmp
clear crypto sa

BB

***** Rate All Helpful Responses *****

How to Ask The Cisco Community for Help

andrewdours · ‎02-05-2024

Thanks for all the replies. As of right now, I don't have any routers with this error. Overall, I want to use this "clear" command in an EEM script running on the spoke router in order to "self heal". Sometimes we have access to the router over one of the dual DMVPN links that are still up. Sometimes the spoke router is just completely offline and cannot be reached.

MHM Cisco World · ‎02-08-2024

I need to see

show crypto call admission statistics

when you can access to router
MHM

andrewdours · ‎02-19-2024

I have a router doing this. Just one of the tunnels. Tunnel 10 is still up. Tunnel 20 is down.

Bunch of these in the log..

..

Feb 19 15:56:52.525 EST: %CRYPTO-4-IKE_DENY_SA_REQ: IKE denied an IKE OUTGOING SA request from 192.168.68.60 to xx.242.59.5 due to IKE SA LIMIT REACHED
Feb 19 15:57:52.571 EST: %CRYPTO-4-IKE_DENY_SA_REQ: IKE denied an IKE OUTGOING SA request from 192.168.68.60 to xx.242.59.5 due to IKE SA LIMIT REACHED
Feb 19 15:58:52.617 EST: %CRYPTO-4-IKE_DENY_SA_REQ: IKE denied an IKE OUTGOING SA request from 192.168.68.60 to xx.242.59.5 due to IKE SA LIMIT REACHED
Feb 19 15:59:52.664 EST: %CRYPTO-4-IKE_DENY_SA_REQ: IKE denied an IKE OUTGOING SA request from 192.168.68.60 to xx.242.59.5 due to IKE SA LIMIT REACHED
Feb 19 16:00:52.710 EST: %CRYPTO-4-IKE_DENY_SA_REQ: IKE denied an IKE OUTGOING SA request from 192.168.68.60 to xx.242.59.5 due to IKE SA LIMIT REACHED
Feb 19 16:01:52.756 EST: %CRYPTO-4-IKE_DENY_SA_REQ: IKE denied an IKE OUTGOING SA request from 192.168.68.60 to xx.242.59.5 due to IKE SA LIMIT REACHED
Feb 19 16:02:52.799 EST: %CRYPTO-4-IKE_DENY_SA_REQ: IKE denied an IKE OUTGOING SA request from 192.168.68.60 to xx.242.59.5 due to IKE SA LIMIT REACHED

a-wilson-r881#show call admission statistics
Total call admission charges: 52, limit 0
Total calls rejected 0, accepted 0
Load metric: charge 52, unscaled 52%

BB recommends above to clear all crypto, but I don't want to take down both tunnels.

Thanks,

Andrew

MHM Cisco World · ‎02-19-2024

crypto call admission limit ike sa 30 <- change this to be 50

Since you have active 29 and nego 1 which will reach 30 max limit

Total IKE SA Count: 30 active: 29 negotiating: 1

MHM

MHM Cisco World · ‎02-19-2024

I run lab and apply config to copy the issue
hub config with ike limit 1 and nego 10
and immediately after I add second spoke R4 the same error appear
so friend increase the ike sa limit (not nego) to be more than 30 and check
MHM
Screenshot (692).png

immediate after change the ike sa limit the tunnel is UP

Screenshot (693).png

tvotna · ‎02-19-2024

@andrewdours, you need to work with TAC on this, because this looks like a bug. You probably can increase the CAC limit up to the platform limit by removing "crypto call admission limit ike sa 30" from the configuration completely, but this is not going to help you much. From the below outputs it's obvious that you have CAC counter leak: CAC shows that you already have 29 established IKEv1 sessions, while "show crypto isakmp sa count" tells that you have only one.

a-wilson-r881#show crypto call admission statistics
---------------------------------------------------------------------
Crypto Call Admission Control Statistics
---------------------------------------------------------------------
System Resource Limit: 0 Max IKE SAs: 30 Max in nego: 30
Total IKE SA Count: 30 active: 29 negotiating: 1
Incoming IKE Requests: 22 accepted: 14 rejected: 8
Outgoing IKE Requests: 16158 accepted: 13191 rejected: 2967
Rejected IKE Requests: 2975 rsrc low: 0 Active SA limit: 2975
In-neg SA limit: 0
IKE packets dropped at dispatch: 0

Max IPSEC SAs: 0
Total IPSEC SA Count: 1 active: 1 negotiating: 0
Incoming IPSEC Requests: 233 accepted: 233 rejected: 0
Outgoing IPSEC Requests: 280 accepted: 280 rejected: 0

Phase1.5 SAs under negotiation: 0

a-wilson-r881#show crypto eli
Hardware Encryption : ACTIVE
Number of hardware crypto engines = 1

CryptoEngine Onboard VPN details: state = Active
Capability : IPPCP, DES, 3DES, AES, IPv6, GDOI, FAILCLOSE

IPSec-Session : 2 active, 100 max, 0 failed



a-wilson-r881#show crypto isakmp sa count
Active ISAKMP SA's: 1
Standby ISAKMP SA's: 0
Currently being negotiated ISAKMP SA's: 1
Dead ISAKMP SA's: 1

andrewdours · ‎02-20-2024

TAC is not possible for this. These 881 routers are well past end of support. I suppose one day we'll either convert to SDWAN or reconfigure the DMVPN to be a true hub and spoke (no spoke to spoke VPNs) and then apply an access list on the spokes for just the hub routers to setup tunnels. I just wondered if there was a way to clear this type of issue without forcing a reboot on the spoke. Doesn't look like there's a good option.

Andrew

tvotna · ‎02-20-2024

Yeah, you're right. The routers are EoS. In this case you can only try to install latest IOS to work around bugs. I don't believe there is a way to clear this error condition without rebooting the router. But it still worth to remove "crypto call admission limit ike sa 30" limit set in the config, because it doesn't make any sense. The "in-negotiation" limit is helpful to reduce the load when router (re)establishes many tunnels at once, but absolute limit is not helpful at all.

MHM Cisco World · ‎02-21-2024

remove crypto call admission limit ike sa 30???
why remove if instead of increase the number
he have two tunnel and I thing he config fail over between two tunnel, so always one tunnel is forward traffic
there is Spokes equal to 30 (or near to) so tunnel 1 do ipsec to all these spokes when fail over to other tunnel
the router add 30 more IPsec, here the number will be around 60. the router can not drop old 30 immediately and we can not change the isakmp keepalive to be so short, so instead we increase the limit to 50-60 and make router do new 30 ipsec to spoke via new tunnel head.
that all issue here
this command is use in first please for secuirty to make router not accept more than we want of IPsec VPN.
remove it IS NO SENSE AT ALL

MHM