03-14-2013 08:31 AM
Hi all,
We have a site to site VPN that has been working for years. Suddently this week, after i found the below syslog warning and i check the link. It is up and operatioanl;however, the show cryp isak sa shows a huge mount of establish tunnels(qm_idle)... 48 in total. The clear crypto isak sa does not do anything berter, enither is a reboot. Has anyone ever run into this issue? Cisco doc and google mention IOS bugs, buty both end of the tunnel have been working just fine for the last 4 years or so.
sh crypto isakmp sa cou
Active ISAKMP SA's: 48
Standby ISAKMP SA's: 0
Currently being negotiated ISAKMP SA's: 0
Dead ISAKMP SA's: 2
Warning >>> From Syslog server
361: 000322: * decaps: rec'd IPSEC packet has invalid spi for destaddr=1x.1xx.9.x prot=50, spi=0x1D64B6D6(493139670), srcaddr=12.1x.xx.xx
Thanks,
03-14-2013 09:18 PM
That error message might appear during rekey as the old SPI might still be used while the new one has been sent by the peer, or vice versa. Do you actually have any issue with the tunnel, or you are just concern about the error messages?
03-15-2013 07:28 AM
Hi Jen,
Thanks for the reply.... In fact google did help understand the error message what i am trying to understand is what i have 48 active ISAKMP Sa( 48 QM_IDLE when i do show crypto isamkp sa). Usually it's one QM_IDLE when the tunnel is establish.
Thanks,
03-15-2013 11:38 AM
Sounds like a bug to me.
I've found a matching bug that might be affecting your router: bugID: CSCsh53141
http://tools.cisco.com/Support/BugToolKit/search/getBugDetails.do?method=fetchBugDetails&bugId=CSCsh53141
The workaround says: issue "clear crypto isakmp"
03-15-2013 12:09 PM
Thanks Jen... Yeah, few docs that i consulted says that. However, in my case the clear crypto isakmp does not do much. When issued the commands all the SA went MM_NO_STATE and all the 48 of them came back to QM_IDLE again. I even reloaded both ends of the Tunnel!
Even though traffic isn't affected at the moment, but i am still concern out it. Some docs do mention possible of CPU load in near fiture!
Discover and save your favorite ideas. Come back to expert answers, step-by-step guides, recent topics, and more.
New here? Get started with these tips. How to use Community New member guide