cancel
Showing results for 
Search instead for 
Did you mean: 
cancel
18852
Views
0
Helpful
4
Replies

ISAKMP doesn't start after reload

damprieto86
Level 1
Level 1

Hi Everyone:

We have a  Cisco 1841 Router acting as a group member in a GETVPN network. when this router reloads, ISAKMP Process always stays OFF (%CRYPTO-6-ISAKMP_ON_OFF: ISAKMP is OFF) and only start this process until we forced it through a clear crypto gdoi command or manually disabling/enabling crypto map on the interface, otherwise Phase 1 never start and the GM never register to KS. Other group members in the network does not have this problem and is the same ISAKMP policy and GDOI configuration.

All routers in the nerwork have the same IOS (C1841-ADVIPSERVICESK9-M), Version 12.4(15)T8, RELEASE SOFTWARE (fc3)) but this problem only is present on one router.

a debug crypto isakmp was issued on the odd router but it didn's show any information because ISAKMP is stuck. after we issued clear crypto gdoi command, ISAKMP begins negotiation and authentication and the SA is finally established.

this is the router log after issued a reload command:

*Jan 27 10:51:44.695: %SYS-5-RESTART: System restarted --
Cisco IOS Software, 1841 Software (C1841-ADVIPSERVICESK9-M), Version 12.4(15)T8, RELEASE SOFTWARE (fc3)
Technical Support: http://www.cisco.com/techsupport
Copyright (c) 1986-2008 by Cisco Systems, Inc.
Compiled Mon 01-Dec-08 13:52 by prod_rel_team
*Jan 27 10:51:44.699: %SNMP-5-COLDSTART: SNMP agent on host XXXXXXXX is undergoing a cold start
*Jan 27 10:51:44.763: %SSH-5-ENABLED: SSH 1.99 has been enabled
*Jan 27 10:51:44.919: %CRYPTO-6-ISAKMP_ON_OFF: ISAKMP is OFF
*Jan 27 10:51:44.919: %CRYPTO-6-GDOI_ON_OFF: GDOI is OFF
*Jan 27 10:51:44.919: %CRYPTO-6-GDOI_ON_OFF: GDOI is ON
*Jan 27 10:51:45.999: %SYS-6-BOOTTIME: Time taken to reboot after reload =  130 seconds

this is the crypto configuration

crypto isakmp policy 10
encr 3des
group 2
!
!
crypto gdoi group GETVPN
identity number 10
server address ipv4 a.b.c.d
server address ipv4 x.y.z.x
!
!
crypto map GETVPN-MAP local-address FastEthernet0/1
crypto map GETVPN-MAP 10 gdoi
set group GETVPN

thanks in advance.

Damián

1 Accepted Solution

Accepted Solutions

Hi,

There is a know issue with GETVPN that's fixed in 12.4(15)T10:

http://tools.cisco.com/Support/BugToolKit/search/getBugDetails.do?method=fetchBugDetails&bugId=CSCsv29424

This causes the router to not register with the KS after a reload. However, it's specific to a GETVPN configuration, which 12.4 mainline code does not support. I would suggest you open a TAC case to have it investigated.

Thanks,

Wen

View solution in original post

4 Replies 4

damprieto86
Level 1
Level 1

It's a bug!! Confirmed by Cisco TAC. Cisco IOS Software version 12.4(15)T fc10 fixed this bug.

thanks to all.

hmm I am seeing the same behavior under Cisco IOS Software, 1841 Software (C1841-ADVIPSERVICESK9-M), Version 12.4(18), R

Would you share your TAC case # so I can take it with them again and see if possibly 4(18) is having the same issue you did before?

Hi,

There is a know issue with GETVPN that's fixed in 12.4(15)T10:

http://tools.cisco.com/Support/BugToolKit/search/getBugDetails.do?method=fetchBugDetails&bugId=CSCsv29424

This causes the router to not register with the KS after a reload. However, it's specific to a GETVPN configuration, which 12.4 mainline code does not support. I would suggest you open a TAC case to have it investigated.

Thanks,

Wen

danielkuhl
Level 1
Level 1

Hi,

today I found this bug (CSCsv29424) under c890-universalk9-mz.151-4.M4 on a 892 router. The workaround mentionend at the BugToolkit worked. Any experience with it?

Kind regards,

Daniel