01-27-2010 08:52 AM
Hi Everyone:
We have a Cisco 1841 Router acting as a group member in a GETVPN network. when this router reloads, ISAKMP Process always stays OFF (%CRYPTO-6-ISAKMP_ON_OFF: ISAKMP is OFF) and only start this process until we forced it through a clear crypto gdoi command or manually disabling/enabling crypto map on the interface, otherwise Phase 1 never start and the GM never register to KS. Other group members in the network does not have this problem and is the same ISAKMP policy and GDOI configuration.
All routers in the nerwork have the same IOS (C1841-ADVIPSERVICESK9-M), Version 12.4(15)T8, RELEASE SOFTWARE (fc3)) but this problem only is present on one router.
a debug crypto isakmp was issued on the odd router but it didn's show any information because ISAKMP is stuck. after we issued clear crypto gdoi command, ISAKMP begins negotiation and authentication and the SA is finally established.
this is the router log after issued a reload command:
*Jan 27 10:51:44.695: %SYS-5-RESTART: System restarted --
Cisco IOS Software, 1841 Software (C1841-ADVIPSERVICESK9-M), Version 12.4(15)T8, RELEASE SOFTWARE (fc3)
Technical Support: http://www.cisco.com/techsupport
Copyright (c) 1986-2008 by Cisco Systems, Inc.
Compiled Mon 01-Dec-08 13:52 by prod_rel_team
*Jan 27 10:51:44.699: %SNMP-5-COLDSTART: SNMP agent on host XXXXXXXX is undergoing a cold start
*Jan 27 10:51:44.763: %SSH-5-ENABLED: SSH 1.99 has been enabled
*Jan 27 10:51:44.919: %CRYPTO-6-ISAKMP_ON_OFF: ISAKMP is OFF
*Jan 27 10:51:44.919: %CRYPTO-6-GDOI_ON_OFF: GDOI is OFF
*Jan 27 10:51:44.919: %CRYPTO-6-GDOI_ON_OFF: GDOI is ON
*Jan 27 10:51:45.999: %SYS-6-BOOTTIME: Time taken to reboot after reload = 130 seconds
this is the crypto configuration
crypto isakmp policy 10
encr 3des
group 2
!
!
crypto gdoi group GETVPN
identity number 10
server address ipv4 a.b.c.d
server address ipv4 x.y.z.x
!
!
crypto map GETVPN-MAP local-address FastEthernet0/1
crypto map GETVPN-MAP 10 gdoi
set group GETVPN
thanks in advance.
Damián
Solved! Go to Solution.
10-25-2010 06:55 AM
Hi,
There is a know issue with GETVPN that's fixed in 12.4(15)T10:
This causes the router to not register with the KS after a reload. However, it's specific to a GETVPN configuration, which 12.4 mainline code does not support. I would suggest you open a TAC case to have it investigated.
Thanks,
Wen
02-03-2010 07:04 AM
It's a bug!! Confirmed by Cisco TAC. Cisco IOS Software version 12.4(15)T fc10 fixed this bug.
thanks to all.
10-23-2010 11:27 PM
hmm I am seeing the same behavior under Cisco IOS Software, 1841 Software (C1841-ADVIPSERVICESK9-M), Version 12.4(18), R
Would you share your TAC case # so I can take it with them again and see if possibly 4(18) is having the same issue you did before?
10-25-2010 06:55 AM
Hi,
There is a know issue with GETVPN that's fixed in 12.4(15)T10:
This causes the router to not register with the KS after a reload. However, it's specific to a GETVPN configuration, which 12.4 mainline code does not support. I would suggest you open a TAC case to have it investigated.
Thanks,
Wen
09-20-2012 06:39 AM
Hi,
today I found this bug (CSCsv29424) under c890-universalk9-mz.151-4.M4 on a 892 router. The workaround mentionend at the BugToolkit worked. Any experience with it?
Kind regards,
Daniel
Discover and save your favorite ideas. Come back to expert answers, step-by-step guides, recent topics, and more.
New here? Get started with these tips. How to use Community New member guide