[c-nsp] debug IPSEC explanation

Luan Nguyen luan.nguyen at mci.com
Mon Mar 14 22:54:09 EST 2005 

Hi All,

 

Does anyone know what the following debugs mean by any chance?  Running IOS
12.3.11T3 on a 1711

 

"004347: Mar 15 03:19:28.151 GMT: IPSEC(crypto_map_check_encrypt_core):
mtree says we have SA but couldn't find current outbound SA. dropping pak.
pak->cryptoflags=0x820"

 

The router does have SAs

ucs1711#show crypto eli

Hardware Encryption Layer :   ACTIVE

 Number of crypto engines = 1 .

 

 CryptoEngine-0 (slot-3) details. 

 Capability-IPSec : IPPCP, 3DES, NoAES, NoRSA 

 

 IKE-Session   :     1 active,   200 max, 0 failed

 DH-Key        :     0 active,   100 max, 0 failed

 IPSec-Session :     2 active,   400 max, 0 failed

 

and

"004395: Mar 15 03:21:00.992 GMT: IPSEC(key_engine_delete_sas): delete SA
with spi 0xB3A15F06 proto 50 for 130.201.207.204IPSM:
notify_mib_ipsec_tunnel_termination 18"

 

This when I clear the SA.  From CCO, IPSM = IP Service Management Catalyst
(IPSM) and that 130.201.207.204 IP address, I don't have anything to do
with.  The IPSEC peer of the router is definitely not that.  This is what I
get from running 12.3.10 Mainline :" *Mar 15 03:20:05.115 GMT:
IPSEC(key_engine_delete_sas): delete SA with spi 3243146375/50 for
63.89.185.236IPSM: notify_mib_ipsec_tunnel_termination 34"

 

FYI,

 

OrgName:    ARCO Oil and Gas Company 
OrgID:      AOG-1
<http://ws.arin.net/cgi-bin/whois.pl?queryinput=O%20!%20AOG-1> 
Address:    2300 West Plano Parkway
City:       Plano
StateProv:  TX
PostalCode: 75075
Country:    US
 
NetRange:   130.201.0.0
<http://ws.arin.net/cgi-bin/whois.pl?queryinput=130.201.0.0>  -
130.201.255.255
<http://ws.arin.net/cgi-bin/whois.pl?queryinput=130.201.255.255>  
CIDR:       130.201.0.0/16 
NetName:    AOGC
<http://ws.arin.net/cgi-bin/whois.pl?queryinput=N%20.%20AOGC> 
NetHandle:  NET-130-201-0-0-1
<http://ws.arin.net/cgi-bin/whois.pl?queryinput=N%20!%20NET-130-201-0-0-1> 
Parent:     NET-130-0-0-0-0
<http://ws.arin.net/cgi-bin/whois.pl?queryinput=N%20NET-130-0-0-0-0> 
NetType:    Direct Assignment
NameServer: INETG1.ARCO.COM
NameServer: CHINATI.OTS.UTEXAS.EDU
 
Thanks.
 
Luan

More information about the cisco-nsp mailing list