Solved: ISR4451 - S/W Upgrade issues - 16.12.05 to 17.09.05a - any ideas ?

Stephen Carter · ‎08-05-2024

Issue - Group / Phase 1_id corrupted after s/w upgrade from 16.12.05 to 17.09.05a.

When doing a s/w upgrade it was noticed that some VPN connections weren't working, and when checked the output to the

Show Crypto Session Brief command was showing a corrupted group/phase 1 id.

Any ideas as to what could be causing this ??

In typing this, a thought has occurred - in the output below - the group / phase id with the IP addresses are P2P VPN connections, the others are using EZVPN - Has EZVPN been demised TOTALLY ?? hence the links not working ???

Thx

Output below -

Penn-VPN#sh cry session brief

Peer I/F Username Group/Phase1_id Uptime Status

555.555.555.555 Gi0/0/0 555.555.555.555 00:00:15 UA

444.444.444.444 Gi0/0/0 444.444.444.444 00:01:37 UA

666.666.666.666 Gi0/0/0 J` D

777.777.777.777 Gi0/0/0 HB D

888.888.888.888 Gi0/0/0 DN

Stephen Carter · ‎08-07-2024

OK, so i've read the release notes - and it appears that MD5, 3DES etc are in the process of being demised if not already, so to move to a point where no-one is using them - Cisco have 'demised' them with this s/w release, well 17.7 onwards.

But if you need to use them the you need to apply this command -

crypto engine compliance shield disable

And then do a reboot - that should fix the problem.

View solution in original post

Stephen Carter · ‎08-07-2024

OK, so i've read the release notes - and it appears that MD5, 3DES etc are in the process of being demised if not already, so to move to a point where no-one is using them - Cisco have 'demised' them with this s/w release, well 17.7 onwards.

But if you need to use them the you need to apply this command -

crypto engine compliance shield disable

And then do a reboot - that should fix the problem.