Buy or Renew
Buy or Renew
cancel
Turn on suggestions
Auto-suggest helps you quickly narrow down your search results by suggesting possible matches as you type.
Showing results for 
Search instead for 
Did you mean: 
cancel
Start a conversation
5654
Views
5
Helpful
5
Replies

Unstable IPSEC tunnel between Cisco892 and Chkpt VSX R67 / ISAKMP error

krahmani323
Level 3
Level 3

‎06-30-2011 11:06 AM - edited ‎02-21-2020 05:25 PM

Hello community,

I am currently experiencing an issue with an IPSEC Tunnel between a Cisco892-K9 (c890-universalk9-mz.124-22.YB.bin / Feature: advipservices) and a Checkpoint VSX R67.

After reloading the router the tunnel is stable, but afterwards we loose the connection to the LAN unexpectidly (max. time of the connexion is ~2h30).

In fact after a reload the first ISAKMP SA is well negotiated with conn-id 2001 and after a certain amout of time the connexion is lost always associated with this debug message =>

ISAKMP:(2001):error from epa_ikmp_gen_ipsec (QM_IDLE     )

ISAKMP:(2001):Unable to generate IPsec key for 799280698!

ISAKMP:(2001):deleting SA reason "Death by retransmission P2" state (I) QM_IDLE       (peer 194.X.X.X)

and so on ....

We supposed it was related to DPD messages so we deactivated the keepalive (no crypto isakp keepalive). We tried to play also with the ACL matching the crypto map (currently from local subnets to any), but still no luck.

When it is stable the ‘show crypto isakmp sa’ indicates a isakmp sa ‘QM_IDLE / ACTIVE), and when the problem occurs the active ISAKMP SA is deleted and recreated (in ACTIVE state) continuously : conn-id 2001, 2002, 2003, 2004 etc...…but still no access to the LAN.

My main question is to know if someone has already met or know the signification of the previous ISAKMP debug messages (along with the total debug message + crypto conf from the beginning of the problem) =>May it be a platform  support (near 200 ipsec flow in use => most subnet to subnet flow, few subnet to host flows- 200 users on site) , compatiblity, crypto map acl …???

We have another Cisco paltforms with the same configuration working good with the same FW ; This is the first 892 we are using ; The reload fixes the issues.

Thanks a lot for your suggestions.

Kind regards.

Karim

Labels:
102518-ISAKMP_IPSEC_debug_+_crypto_conf.txt.zip
0 Helpful
5 Replies 5

Herbert Baerten
Cisco Employee
Cisco Employee

‎07-03-2011 02:00 AM

Hi karim,

I guess you may indeed be running into the limit this platform supports.

Check "show crypto ipsec sa count" and "show crypto eli".

hth

Herbert

krahmani323
Level 3
Level 3
In response to Herbert Baerten

‎07-03-2011 08:52 AM

Hello Herbert,

And thank you very much for your reply !

Indeed and as you suggested in my environment the command ‘show crypto eli’ indicated a number of IPSec-Session which varies from ~200 to ~500 (1000 max) depending on the period of the day/week.

When this number is stable everything is good on site.

In fact I noticed from one moment (independendtly from the time of the day) the number of IPSec-Session from the ‘show crypto eli » for hardware CryptoEgine begins to increase dramatically (without decreasing) until reaching the 1000 max session.

From this point the debug outputs begin to appear ; understanding better their signification => Unable to generate more IPSEC key, killing the ISAKMP SA due to phase 2 retransmission and so on….

What is surprising is the fact that before reaching the 1000max IP sec sessions ; the IPSec-Sessions from ‘show crypto eli’ is far more important than the IPSec SA given by «show crypto ipsec sa count»…wondering if it is normal, because usually I think the two values should be the same.

Exemple taken from the same ‘show crypto tech-support’, ~20 minutes before the issue :

------------------ show crypto ipsec sa count ------------------

IPsec SA total: 462, active: 0, rekeying: 2, unused: 0, invalid: 0

------------------ show crypto eli ------------------

Hardware Encryption : ACTIVE

Number of hardware crypto engines = 1

CryptoEngine Motorola Talitos 2.0 details: state = Active

Capability     : IPPCP, DES, 3DES, AES, IPv6, GDOI, FAILCLOSE

IPSec-Session :  794 active, 1000 max, 0 failed

------------------------------------------------------------------------------------

Finally,

I am wondering if is it due to a kind of IPSEC-Session LEAK affecting the crypto engine (a kind of bug CSCsj17977 in another scenario)…Anyway I will upgrade to 124-22.YB8 from tomorrow. 

If it does not fix I will try to send a 28xx with AIM-VPN module

Thanks anyway.

Karim

0 Helpful

ahmad82pkn
Level 3
Level 3
In response to krahmani323

‎04-11-2012 04:53 AM

Did you get this fixed?

i am facing the same issue ,

i have VPN concentrator at one side.

and Cisco 3845 Dialing in like Easy VPN solution, and after every hour or so, connectino drop with output

ISAKMP:(0:6:SW:1):deleting SA reason "Death by retransmission P2" state (I) QM_IDLE       (peer x.x.x.x)

any help would be appreciated.

0 Helpful

krahmani323
Level 3
Level 3
In response to ahmad82pkn

‎04-11-2012 07:29 AM

Hello Ahmad,

In my case it was a 892 cisco router.

In fact my Cisco892 in IOS 12.4(22) incorrectly reported a number of maximum IPSEC supported sessions to 1000 max.

===============================

sh crypto eli

Hardware Encryption : ACTIVE

Number of hardware crypto engines = 1

CryptoEngine Motorola Talitos 2.0 details: state = Active

IPSec-Session :    30 active,  1000 max, 0 failed

===============================

Thus when reaching a certain number sessions (> than 100) we could observe a kind of leak in the number of sessions reaching 1000 with the specific logs reported initially. The only solution was to clear the SA or reload the router.

The tac confirmed me it was an internal bug and after upgrading to 15.X the normal value (100 IPSEC SA sessions / for 50 vpn tunnels) was then  displayed.

Aslo in our case SAs initiated from the remote side, were negotiating host (or networks) to subnets, instead of using the pre-existing any to subnet explaining this increasing.

To sum up, it was due to a platform performance limit which was reached especially due to the fact that remote peer was negotiating host (or networks) to subnets..

Best regards.

Karim

0 Helpful

ahmad82pkn
Level 3
Level 3
In response to krahmani323

‎04-11-2012 08:48 AM

actually, i am using cisco 3845 for dynamically dialing VPN into my Cisco VPN concentrator 3000 having static IP.

and when issue happens, i can see only ipsec tunnels up. note more than that,

but it happens almost exactly after 1 hour, i am looking for some mismatch in life time, but i have many other 871 routers connecting same way to 3000 concentrator, without issues.

so i am stuck what is the matter with this 3845:-s

sh crypto eli

Hardware Encryption Layer :   ACTIVE

Number of crypto engines = 1 .

CryptoEngine-0 (slot-0) details.

Capability-IPSec : IPPCP, 3DES, AES, NoRSA

IKE-Session   :     0 active,   500 max, 0 failed

DH-Key        :     0 active,   500 max, 0 failed

IPSec-Session :     6 active,  1000 max, 0 failed

0 Helpful
Customers Also Viewed These Support Documents