[c-nsp] Cisco ASR1004 DMVPN Hubs

Gardner, John (ext) john.3.gardner at atos.net
Fri May 23 03:54:01 EDT 2014 

Hello NSP

Using ASR1004 for DMVPN hubs, the crypto engine can't keep up with a single spoke router authentication (ISAKMP phase 1).

Hardware
PID: ASR1004
PID: ASR1000-SIP10
PID: SPA-10X1GE-V2
PID: ASR1000-RP1
PID: ASR1000-ESP10
DRAM: 4Gb
Image: asr1000rp1-adventerprisek9.03.07.04.S.152-4.S4.bin
IOS XE Version: 03.07.04.S
RTU: FLASR1-IPSEC-RTU

Hub router debuggng ISAKMP and crypto engine output.
Timestamp: ISAKMP (0): received packet from X.Y.41.23 dport 500 sport 500 SECURE (N) NEW SA
Timestamp: ISAKMP: Created a peer struct for X.Y.41.23, peer port 500
Timestamp: ISAKMP: New peer created peer = 0x3D1464B0 peer_handle = 0x80000004
Timestamp: ISAKMP: Locking peer struct 0x3D1464B0, refcount 1 for crypto_isakmp_process_block
Timestamp: ISAKMP: local port 500, remote port 500
Timestamp: ISAKMP:(0):insert sa successfully sa = 41C29D18
Timestamp: ISAKMP:(0):Input = IKE_MESG_FROM_PEER, IKE_MM_EXCH
Timestamp: ISAKMP:(0):Old State = IKE_READY  New State = IKE_R_MM1
Timestamp: ISAKMP:(0): processing SA payload. message ID = 0
Timestamp: ISAKMP : Scanning profiles for xauth ... SECURE_ISAKMP_BBP2 ISAKMP-TEST
Timestamp: ISAKMP:(0): IKE->PKI Get configured TrustPoints state (R) MM_NO_STATE (peer X.Y.41.23)
Timestamp: ISAKMP:(0): PKI->IKE Got configured TrustPoints state (R) MM_NO_STATE (peer X.Y.41.23)
Timestamp: ISAKMP:(0):Checking ISAKMP transform 1 against priority 10 policy
Timestamp: ISAKMP:      encryption AES-CBC
Timestamp: ISAKMP:      keylength of 256
Timestamp: ISAKMP:      hash SHA256
Timestamp: ISAKMP:      default group 5
Timestamp: ISAKMP:      auth RSA sig
Timestamp: ISAKMP:      life type in seconds
Timestamp: ISAKMP:      life duration (VPI) of  0x0 0x1 0x51 0x80
Timestamp: ISAKMP:(0):atts are acceptable. Next payload is 0
Timestamp: ISAKMP:(0):Acceptable atts:actual life: 0
Timestamp: ISAKMP:(0):Acceptable atts:life: 0
Timestamp: ISAKMP:(0):Fill atts in sa vpi_length:4
Timestamp: ISAKMP:(0):Fill atts in sa life_in_seconds:86400
Timestamp: ISAKMP:(0): IKE->PKI Start PKI Session state (R) MM_NO_STATE (peer X.Y.41.23)
Timestamp: ISAKMP:(0): PKI->IKE Started PKI Session state (R) MM_NO_STATE (peer X.Y.41.23)
Timestamp: ISAKMP:(0):Returning Actual lifetime: 86400
Timestamp: ISAKMP:(0)::Started lifetime timer: 86400.
Timestamp: crypto_engine_select_crypto_engine: can't handle any more
Timestamp: crypto_engine_select_crypto_engine: can't handle any more
Timestamp: ISAKMP : Unable to allocate IKE SA
Timestamp: ISAKMP:(0):Input = IKE_MESG_INTERNAL, IKE_PROCESS_MAIN_MODE
Timestamp: ISAKMP:(0):Old State = IKE_R_MM1  New State = IKE_R_MM1
Timestamp: ISAKMP (0): incrementing error counter on sa, attempt 1 of 5: reset_retransmission
Timestamp: ISAKMP:(0):Input = IKE_MESG_INTERNAL, IKE_PROCESS_ERROR
Timestamp: ISAKMP:(0):Old State = IKE_R_MM1  New State = IKE_READY
Why is the router crypto engine reporting that it can't handle any more and fails to allocate an IKE SA?  I would like to know of any useful commands that might shed light on this.
Crypto Engine
        crypto engine name:  Cisco VPN Software Implementation
        crypto engine type:  software
             serial number:  00000000
       crypto engine state:  installed
       crypto engine in slot:  N/A
                  platform:  Cisco Software Crypto Engine
       crypto lib version:  22.0.0
Crypto ELI
Hardware Encryption : ACTIVE
 Number of hardware crypto engines = 1
 CryptoEngine IOSXE-ESP(14) details: state = Active
 Capability    : DES, 3DES, AES, RSA, IPv6, GDOI, FAILCLOSE
 IKE-Session   :     0 active, 12287 max, 0 failed
 DH            :     0 active, 12287 max, 0 failed
 IPSec-Session :     0 active, 32766 max, 0 failed

I should also add that the 'license' keyword is unavailable.
ASR-1004#sh license ?
% Unrecognized command
ASR-1004(config)#license ?
% Unrecognized command

Regards
John

More information about the cisco-nsp mailing list