Buy or Renew
Buy or Renew
Duo Security forums now LIVE! Get answers to all your Duo Security questions. Learn more
cancel
Turn on suggestions
Auto-suggest helps you quickly narrow down your search results by suggesting possible matches as you type.
Showing results for 
Search instead for 
Did you mean: 
cancel
Start a conversation
393
Views
0
Helpful
4
Replies

LAN-2-LAN VPN EXPERIENCING HUGE Phase 1 NEGO

Jean Paul Enerst
Level 3
Level 3

‎03-14-2013 08:31 AM

Hi all,

               We have a site to site VPN that has been working for years. Suddently this week, after i found the  below syslog warning and i check the link. It is up and operatioanl;however, the show cryp isak sa shows a huge mount of  establish tunnels(qm_idle)... 48 in total. The clear crypto isak sa does not do anything berter, enither is a reboot. Has anyone ever run into this issue? Cisco doc and google mention IOS bugs, buty both end of the tunnel have been working just fine for the last 4 years or so.

sh crypto isakmp sa cou

Active ISAKMP SA's: 48

Standby ISAKMP SA's: 0

Currently being negotiated ISAKMP SA's: 0

Dead ISAKMP SA's: 2

Warning >>> From Syslog server

361: 000322: * decaps: rec'd IPSEC packet has invalid spi for destaddr=1x.1xx.9.x prot=50, spi=0x1D64B6D6(493139670), srcaddr=12.1x.xx.xx

Thanks,

Labels:
0 Helpful
4 Replies 4

Jennifer Halim
Cisco Employee
Cisco Employee

‎03-14-2013 09:18 PM

That error message might appear during rekey as the old SPI might still be used while the new one has been sent by the peer, or vice versa. Do you actually have any issue with the tunnel, or you are just concern about the error messages?

0 Helpful

Jean Paul Enerst
Level 3
Level 3
In response to Jennifer Halim

‎03-15-2013 07:28 AM

Hi Jen,

               Thanks for the reply.... In fact google did help understand the error message what i am trying to understand is what i have 48 active ISAKMP Sa( 48 QM_IDLE when i do show crypto isamkp sa). Usually it's one QM_IDLE when the tunnel is establish.

Thanks,

0 Helpful

Jennifer Halim
Cisco Employee
Cisco Employee
In response to Jean Paul Enerst

‎03-15-2013 11:38 AM

Sounds like a bug to me.

I've found a matching bug that might be affecting your router: bugID: CSCsh53141

http://tools.cisco.com/Support/BugToolKit/search/getBugDetails.do?method=fetchBugDetails&bugId=CSCsh53141

The workaround says: issue "clear crypto isakmp"

0 Helpful

Jean Paul Enerst
Level 3
Level 3
In response to Jennifer Halim

‎03-15-2013 12:09 PM

Thanks Jen... Yeah,  few docs that i consulted says that. However, in my case the clear crypto isakmp does not do much. When issued the commands all the SA went MM_NO_STATE and all the 48 of them came back to QM_IDLE again. I even reloaded both ends of the Tunnel!

Even though traffic isn't affected at the moment, but i am still concern out it. Some docs do mention possible of CPU load in near fiture!

0 Helpful
Customers Also Viewed These Support Documents