We help IT Professionals succeed at work.

Can I create a IPSEC connection without using a VPN Services Port Adapter on the Cisco 6513?

916 Views
Last Modified: 2014-06-01
Hi,

I am not able to create a IPSEC connection between a cisco 6513 and a cisco ASR1004, via MPLS ckt.  I have 50 IPSEC/GRE connections so I am positive my config is correct (had 4 other eyes verify config).  This is the first IPSEC connection on the 6513.

The error  “ISAKMP: Unable to allocate IKE SA” is on the 6513.  This error is referring to the VPN Services Port Adapter (VSPA) http://www.cisco.com/c/en/us/td/docs/interfaces_modules/services_modules/vspa/configuration/guide/ivmsw_book/ivmovw.html 

The 6513 does not have a VPN Services Port Adapter (VSPA).

Q:  Can I create a IPSEC connection without using a VPN Services Port Adapter on the 6513?

logging on the 6513 displays the following error:  
21w4d: ISAKMP (0): received packet from 1.1.1.1 dport 500 sport 500 Global (N) NEW SA
21w4d: ISAKMP: Created a peer struct for 1.1.1.1 peer port 500
21w4d: ISAKMP: New peer created peer = 0x525E96B4 peer_handle = 0x80000150
21w4d: ISAKMP: Locking peer struct 0x525E96B4, refcount 1 for crypto_isakmp_process_block
21w4d: ISAKMP: local port 500, remote port 500
21w4d: ISAKMP: Unable to allocate IKE SA

logging on the ASR1004:
*May 15 04:13:51.500: IPSEC(sa_request): ,
  (key eng. msg.) OUTBOUND local= 1.1.1.1:500, remote= 2.2.2.2:500,
    local_proxy= 10.1.200.1/255.255.255.255/0/0 (type=1),
    remote_proxy= 10.1.62.1/255.255.255.255/0/0 (type=1),
    protocol= ESP, transform= esp-aes 256  (Tunnel),
    lifedur= 86400s and 4608000kb,
    spi= 0x0(0), conn_id= 0, keysize= 256, flags= 0x0

*******************************

6513#sh cry isa sa
IPv4 Crypto ISAKMP SA
dst             src             state          conn-id slot status

IPv6 Crypto ISAKMP SA


ASR1004#sh crypto isakmp sa
IPv4 Crypto ISAKMP SA
dst             src             state          conn-id status
2.2.2.2    1.1.1.1    MM_NO_STATE          0 ACTIVE
2.2.2.2    1.1.1.1    MM_NO_STATE          0 ACTIVE (deleted)

*************************************

IOS are:
6513 = s72033-advipservicesk9_wan-mz.122-33.SXH4.bin
ASR1004  = asr1000rp1-adventerprisek9.03.04.02.S.151-3.S2.bin

Thanks for your time and effort, Scott
Comment
Watch Question

CERTIFIED EXPERT
Top Expert 2004

Commented:
This "bug" relates to the ASR1000 but it may also relate to the 6500. What hash are you using?
Symptom:
On an ASR1000 series router, the CLI allows configuration of SHA-2 for ISAKMP, e.g.:
crypto isakmp policy 10
hash sha256

However, the VPN tunnel will not establish.
Crypto debugs indicate that phase 1 fails with "ISAKMP : Unable to allocate IKE SA " on the responder.

Please note that this is expected behavior, since SHA-2 is not supported yet on the ASR1000. Please refer to CSCtn18426.
This bug serves to remove the CLI commands that are not yet supported.

Workaround:
Use SHA-1.

Author

Commented:
Mike,
We are using SHA-1.

Thanks for your reply.

Scott
This one is on us!
(Get your first solution completely free - no credit card required)
UNLOCK SOLUTION

Author

Commented:
This is from Cisco Support.
Unlock the solution to this question.
Join our community and discover your potential

Experts Exchange is the only place where you can interact directly with leading experts in the technology field. Become a member today and access the collective knowledge of thousands of technology experts.

*This site is protected by reCAPTCHA and the Google Privacy Policy and Terms of Service apply.

OR

Please enter a first name

Please enter a last name

8+ characters (letters, numbers, and a symbol)

By clicking, you agree to the Terms of Use and Privacy Policy.