VTI's failing and not reinitialising

damon.kerr · ‎05-02-2011

I'm running a Cisco 891 it has both crypto maps and ipsec VTI's running on the external interface. The cryto maps are for sites that do not have a cisco router and the Tunnels are for the sites that use crypto maps work perfectly fine. But I much prefer using unnels as it gives a routable interface, ospf works ect.

The tunnel interfaces will periodicly fail (Line protocol down) at no set interval, they will then not come back up again. To bring them back up I either have to shutdown and then re-enable the interface or run "clear cry ses rem *.*.*.*"

Logging with isakmp and ipsec errors provides the following:

55801: *May 1 10:31:16.015: ISAKMP:(0):Can't decrement IKE Call Admission Control stat incoming_active since it's already 0.
55802: *May 1 10:31:16.015: ISAKMP:(2035):deleting SA reason "Death by retransmission P2" state (R) QM_IDLE       (peer *.*.*.*)
55803: *May 1 10:31:16.015: ISAKMP:(0):Can't decrement IKE Call Admission Control stat incoming_active since it's already 0.
55804: *May 1 10:31:45.855: ISAKMP:(2044):error from epa_ikmp_gen_ipsec (QM_IDLE      )
55805: *May 1 10:31:45.855: ISAKMP:(2044):Unable to generate IPsec key for -462981098!
55806: *May 1 10:31:50.475: ISAKMP:(2034):error from epa_ikmp_gen_ipsec (QM_IDLE      )
55807: *May 1 10:31:50.475: ISAKMP:(2034):Unable to generate IPsec key for -1837359635!
55808: *May 1 10:32:04.883: %OSPF-5-ADJCHG: Process 10, Nbr *.*.*.* on Tunnel0 from FULL to DOWN, Neighbor Down: Dead timer expired

I have not been able to find out what these errors relate to, despite my googling. Can anybody advise? I can provide my config if necessary.

damon.kerr · ‎05-02-2011

I though it might be a hardware limit but 891's should support 50 VPN's.

VPN#sh cry isa sa count
Active ISAKMP SA's: 20
Standby ISAKMP SA's: 0
Currently being negotiated ISAKMP SA's: 0
Dead ISAKMP SA's: 0

krahmani323 · ‎06-30-2011

Hello Damon,

About your post I think I am exepriencing the same (or at least a very similar) issue with the same isakmp/ipsec errors debug outputs.

I have also posted a threat about this => https://supportforums.cisco.com/thread/2091906

I would like to know what was the end of the story on your side ?

Indeed I am also using a Cisco 890 platform (on my router : One isakmp SA with a lot of ipsec flows) and also thinking on a platform limitation.

Thanks a lot for your feedback.

Kind regards.

Karim

Saurabh Sareen · ‎01-03-2012

I got the same message when trying to initialize the dyamiv VTI.

I got this fixed -

1. Make sure the isakmp profile is correctly configured with isakmp authorization, client configuration, client authentication, and virtual template.

2. Make sure the IPSEC trasform set is configured correctly.

3, Make sure ipsec profile is configured with transform set and isakmp profile.

4, Make sure that client configuration group is configured with key and acl, address pool.

5. Virtual template interface of type tunnel with tunnel source as wan interface, ip unnumm as wan interface, tunnel mode ipsec ipv4, tunnel protection ipsec profile.

VTI comes up in one shot.

That message was confusing regarding ike call admission control.

If you need, i will send you the configuration.

Regards