troubleshooting Question

Can I create a IPSEC connection without using a VPN Services Port Adapter on the Cisco 6513?

Avatar of stepnharp
stepnharp asked on
RoutersNetworking Hardware-OtherInternet Protocol Security
4 Comments1 Solution929 ViewsLast Modified:
Hi,

I am not able to create a IPSEC connection between a cisco 6513 and a cisco ASR1004, via MPLS ckt.  I have 50 IPSEC/GRE connections so I am positive my config is correct (had 4 other eyes verify config).  This is the first IPSEC connection on the 6513.

The error  “ISAKMP: Unable to allocate IKE SA” is on the 6513.  This error is referring to the VPN Services Port Adapter (VSPA) http://www.cisco.com/c/en/us/td/docs/interfaces_modules/services_modules/vspa/configuration/guide/ivmsw_book/ivmovw.html 

The 6513 does not have a VPN Services Port Adapter (VSPA).

Q:  Can I create a IPSEC connection without using a VPN Services Port Adapter on the 6513?

logging on the 6513 displays the following error:  
21w4d: ISAKMP (0): received packet from 1.1.1.1 dport 500 sport 500 Global (N) NEW SA
21w4d: ISAKMP: Created a peer struct for 1.1.1.1 peer port 500
21w4d: ISAKMP: New peer created peer = 0x525E96B4 peer_handle = 0x80000150
21w4d: ISAKMP: Locking peer struct 0x525E96B4, refcount 1 for crypto_isakmp_process_block
21w4d: ISAKMP: local port 500, remote port 500
21w4d: ISAKMP: Unable to allocate IKE SA

logging on the ASR1004:
*May 15 04:13:51.500: IPSEC(sa_request): ,
  (key eng. msg.) OUTBOUND local= 1.1.1.1:500, remote= 2.2.2.2:500,
    local_proxy= 10.1.200.1/255.255.255.255/0/0 (type=1),
    remote_proxy= 10.1.62.1/255.255.255.255/0/0 (type=1),
    protocol= ESP, transform= esp-aes 256  (Tunnel),
    lifedur= 86400s and 4608000kb,
    spi= 0x0(0), conn_id= 0, keysize= 256, flags= 0x0

*******************************

6513#sh cry isa sa
IPv4 Crypto ISAKMP SA
dst             src             state          conn-id slot status

IPv6 Crypto ISAKMP SA


ASR1004#sh crypto isakmp sa
IPv4 Crypto ISAKMP SA
dst             src             state          conn-id status
2.2.2.2    1.1.1.1    MM_NO_STATE          0 ACTIVE
2.2.2.2    1.1.1.1    MM_NO_STATE          0 ACTIVE (deleted)

*************************************

IOS are:
6513 = s72033-advipservicesk9_wan-mz.122-33.SXH4.bin
ASR1004  = asr1000rp1-adventerprisek9.03.04.02.S.151-3.S2.bin

Thanks for your time and effort, Scott
ASKER CERTIFIED SOLUTION
stepnharp

Our community of experts have been thoroughly vetted for their expertise and industry experience.

Join our community to see this answer!
Unlock 1 Answer and 4 Comments.
Start Free Trial
Learn from the best

Network and collaborate with thousands of CTOs, CISOs, and IT Pros rooting for you and your success.

Andrew Hancock - VMware vExpert
See if this solution works for you by signing up for a 7 day free trial.
Unlock 1 Answer and 4 Comments.
Try for 7 days

”The time we save is the biggest benefit of E-E to our team. What could take multiple guys 2 hours or more each to find is accessed in around 15 minutes on Experts Exchange.

-Mike Kapnisakis, Warner Bros