Problems with ISM VPN Accelerator on Cisco 1941

Stefan Strand · ‎08-02-2012

Hi,

I'm running DMVPN together with IPSEC with on a Cisco 1941 with the (new) ISM VPN Module.

My problem is that when I enable the ISM VPN module, then the DMVPN tunnels refuse to come up.

ISAKMP is OK, the IPSEC tunnels are OK, but there is no outgoing traffic through the DMVPN tunnels.

I've recently upgraded to IOS 15.4(2)M1, this didn't solve the problem.

My only solution is to disable the ISM VPN module with "no crypto engine slot 0", then reboot the router.

And then all the tunnels come up...

Has anyone else experienced similar problems?

Stefan Strand · ‎08-02-2012

(sorry, IOS 15.2(4)M1, typo)

mmason221 · ‎08-09-2012

You have the following options for your bug's

•1. For working around CSCtz94286, the ACL entry needs the following to be added on the external interface if the external interface has an ACL restricting INBOUND. The packet is classified wrong in software. Packets are going to arrive with the GRE header exposed due to ESP wrapper, but hence the bug

Permit gre host host

•2. For the IOS versions that will have the fix for both CSCtz94286(ISM issue) and CSCua15292(IOS router crash issue)
•a. 15.2(3)T2 - 10/12/12
•b. 15.2(4)M2 – 11/9/12

•3. 15.2(4)M1 already on CCO has the fix for CSCua15292 but not for CSCtz94286 and so the customer will have to apply the above mentioned workaround in #1.

•4. Now I also have one more suggestion, the IOS crash (CSCua15292) is applicable only for onboard VPN engine. If the customer has the fix for CSCtz94286 and are working fine with the ISM VPN module, they will not run into CSCua15292.

If that is acceptable they can move to 15.2(1)T3 - 8/31/12 or 15.2(2)T2 – 08/10/12

Stefan Strand · ‎08-09-2012

Hi,

I have tried the work around for CSCtz94286 but it doesn't seem to work. The strange thing is that the IPSEC L2L tunnels works... but not the DMVPN tunnels.

I'm already running 15.2(4)M1 so I don't think that I need to worry about CSCua15292.

I also have a TAC case ioen through my Cisco Supplier and got the same advice from TAC...

Could it be that there's another, new bug?

Stefan Strand · ‎08-10-2012

The new IOS (15.2.2T2) that was released today solved my problem.

plavine · ‎05-02-2013

I have a 2900 with over 15 DMVPN tunnles and have the same issue. I have recently upgraded from 15.2.4.M1 to 15.3.2.T based on advice fro the TAC and that has not solved the issue. I also replaced the ISM and it crashed twice in a 2 hour stretch. If this is a software issue then which version should I use.

plavine · ‎05-02-2013

Here is the error:

May 1 15:51:42: %VPN_HW-1-PACKET_ERROR: slot: 0 Packet Encryption/Decryption error, Decr Replay Chk Failure:srcadr=202.62.120.110,dstadr=199.231.236.249,size=1500,sequence number=0x27EAC,SPI=0xDD169B44

May 1 15:52:34: %ALIGN-3-SPURIOUS: Spurious memory access made at 0x362BF7A0z reading 0x10

May 1 15:51:42: %VPN_HW-1-PACKET_ERROR: slot: 0 Packet Encryption/Decryption error, Decr Replay Chk Failure:srcadr=202.62.120.110,dstadr=199.231.236.249,size=1500,sequence number=0x27EAC,SPI=0xDD169B44

May 1 15:52:34: %ALIGN-3-SPURIOUS: Spurious memory access made at 0x362BF7A0z reading 0x10