Buy or Renew
Buy or Renew
Duo Security forums now LIVE! Get answers to all your Duo Security questions. Learn more
cancel
Turn on suggestions
Auto-suggest helps you quickly narrow down your search results by suggesting possible matches as you type.
Showing results for 
Search instead for 
Did you mean: 
cancel
Start a conversation
1443
Views
0
Helpful
2
Replies

VPN l2l - Internal error

leozin8585
Level 1
Level 1

‎04-02-2012 05:19 PM

We are getting strange errors with some tunnels:

Apr 02 2012

17:32:41

713232





Group = DefaultL2LGroup, IP = XXXXX, SA lock   refCnt = 0, bitmask = 00000000, p1_decrypt_cb = 0, qm_decrypt_cb = 1,   qm_hash_cb = 0, qm_spi_ok_cb = 0, qm_dh_cb = 0, qm_secret_key_cb = 0,   qm_encrypt_cb = 0

Apr 02 2012

17:54:38

713231





Group =   DefaultL2LGroup, IP = XXXXX, Internal Error, ike_lock trying to   unlock bit that is not locked for type SA_LOCK_P1_SA_CREATE

Some ip's are getting stuck and increase the established tunnels on ASA, We can see 2500 host connected but ASA showing up like 3000.

crypto ipsec transform-set ATM esp-3des esp-sha-hmac

crypto ipsec security-association lifetime seconds 28800

crypto ipsec security-association lifetime kilobytes 4608000

crypto dynamic-map XXXX 1 match address XXXXX

crypto dynamic-map XPTO 1 set pfs

crypto dynamic-map XPTO 1 set transform-set ATM

crypto dynamic-map XPTO 1 set reverse-route

crypto dynamic-map XPTO 1 match address XPTO_ATM_200

crypto dynamic-map XPTO_AS 1 set pfs

crypto dynamic-map XPTO_AS 1 set transform-set XPTP

crypto dynamic-map XPTO_AS 1 set reverse-route

crypto map XPTOP 120 ipsec-isakmp dynamic XPTO_ATM_MAP

crypto map XPTO_AT interface outside

crypto map XPTO_AS 600 ipsec-isakmp dynamic XPTO_ATM_MAP_AS

crypto map XPTO_AS interface outside-as

crypto isakmp enable outside

crypto isakmp enable outside-as

crypto isakmp policy 10

Just want to fix that issue.

Labels:
0 Helpful
2 Replies 2

Karl_F
Level 1
Level 1

‎06-19-2012 09:12 AM

Hi Leonardo,

I am seeing a similar error, can you tell me if your ASA was locking up at all? Console access working but all ports lockedup, needed a reboot to return?

Rgds,

Karl.

0 Helpful

leozin8585
Level 1
Level 1
In response to Karl_F

‎06-19-2012 05:29 PM

Hello Karl,

We already solved this issue applying the following commands:

sysopt connection preserve vpn flows

crypto isakmp nat-traversal 20

Try it and let us know

0 Helpful
Customers Also Viewed These Support Documents