stepnharp
asked on
Can I create a IPSEC connection without using a VPN Services Port Adapter on the Cisco 6513?
Hi,
I am not able to create a IPSEC connection between a cisco 6513 and a cisco ASR1004, via MPLS ckt. I have 50 IPSEC/GRE connections so I am positive my config is correct (had 4 other eyes verify config). This is the first IPSEC connection on the 6513.
The error “ISAKMP: Unable to allocate IKE SA” is on the 6513. This error is referring to the VPN Services Port Adapter (VSPA) http://www.cisco.com/c/en/us/td/docs/interfaces_modules/services_modules/vspa/configuration/guide/ivmsw_book/ivmovw.html
The 6513 does not have a VPN Services Port Adapter (VSPA).
Q: Can I create a IPSEC connection without using a VPN Services Port Adapter on the 6513?
logging on the 6513 displays the following error:
21w4d: ISAKMP (0): received packet from 1.1.1.1 dport 500 sport 500 Global (N) NEW SA
21w4d: ISAKMP: Created a peer struct for 1.1.1.1 peer port 500
21w4d: ISAKMP: New peer created peer = 0x525E96B4 peer_handle = 0x80000150
21w4d: ISAKMP: Locking peer struct 0x525E96B4, refcount 1 for crypto_isakmp_process_bloc k
21w4d: ISAKMP: local port 500, remote port 500
21w4d: ISAKMP: Unable to allocate IKE SA
logging on the ASR1004:
*May 15 04:13:51.500: IPSEC(sa_request): ,
(key eng. msg.) OUTBOUND local= 1.1.1.1:500, remote= 2.2.2.2:500,
local_proxy= 10.1.200.1/255.255.255.255 /0/0 (type=1),
remote_proxy= 10.1.62.1/255.255.255.255/ 0/0 (type=1),
protocol= ESP, transform= esp-aes 256 (Tunnel),
lifedur= 86400s and 4608000kb,
spi= 0x0(0), conn_id= 0, keysize= 256, flags= 0x0
************************** *****
6513#sh cry isa sa
IPv4 Crypto ISAKMP SA
dst src state conn-id slot status
IPv6 Crypto ISAKMP SA
ASR1004#sh crypto isakmp sa
IPv4 Crypto ISAKMP SA
dst src state conn-id status
2.2.2.2 1.1.1.1 MM_NO_STATE 0 ACTIVE
2.2.2.2 1.1.1.1 MM_NO_STATE 0 ACTIVE (deleted)
************************** ********** *
IOS are:
6513 = s72033-advipservicesk9_wan -mz.122-33 .SXH4.bin
ASR1004 = asr1000rp1-adventerprisek9 .03.04.02. S.151-3.S2 .bin
Thanks for your time and effort, Scott
I am not able to create a IPSEC connection between a cisco 6513 and a cisco ASR1004, via MPLS ckt. I have 50 IPSEC/GRE connections so I am positive my config is correct (had 4 other eyes verify config). This is the first IPSEC connection on the 6513.
The error “ISAKMP: Unable to allocate IKE SA” is on the 6513. This error is referring to the VPN Services Port Adapter (VSPA) http://www.cisco.com/c/en/us/td/docs/interfaces_modules/services_modules/vspa/configuration/guide/ivmsw_book/ivmovw.html
The 6513 does not have a VPN Services Port Adapter (VSPA).
Q: Can I create a IPSEC connection without using a VPN Services Port Adapter on the 6513?
logging on the 6513 displays the following error:
21w4d: ISAKMP (0): received packet from 1.1.1.1 dport 500 sport 500 Global (N) NEW SA
21w4d: ISAKMP: Created a peer struct for 1.1.1.1 peer port 500
21w4d: ISAKMP: New peer created peer = 0x525E96B4 peer_handle = 0x80000150
21w4d: ISAKMP: Locking peer struct 0x525E96B4, refcount 1 for crypto_isakmp_process_bloc
21w4d: ISAKMP: local port 500, remote port 500
21w4d: ISAKMP: Unable to allocate IKE SA
logging on the ASR1004:
*May 15 04:13:51.500: IPSEC(sa_request): ,
(key eng. msg.) OUTBOUND local= 1.1.1.1:500, remote= 2.2.2.2:500,
local_proxy= 10.1.200.1/255.255.255.255
remote_proxy= 10.1.62.1/255.255.255.255/
protocol= ESP, transform= esp-aes 256 (Tunnel),
lifedur= 86400s and 4608000kb,
spi= 0x0(0), conn_id= 0, keysize= 256, flags= 0x0
**************************
6513#sh cry isa sa
IPv4 Crypto ISAKMP SA
dst src state conn-id slot status
IPv6 Crypto ISAKMP SA
ASR1004#sh crypto isakmp sa
IPv4 Crypto ISAKMP SA
dst src state conn-id status
2.2.2.2 1.1.1.1 MM_NO_STATE 0 ACTIVE
2.2.2.2 1.1.1.1 MM_NO_STATE 0 ACTIVE (deleted)
**************************
IOS are:
6513 = s72033-advipservicesk9_wan
ASR1004 = asr1000rp1-adventerprisek9
Thanks for your time and effort, Scott
ASKER
Mike,
We are using SHA-1.
Thanks for your reply.
Scott
We are using SHA-1.
Thanks for your reply.
Scott
ASKER CERTIFIED SOLUTION
membership
This solution is only available to members.
To access this solution, you must be a member of Experts Exchange.
ASKER
This is from Cisco Support.
Symptom:
On an ASR1000 series router, the CLI allows configuration of SHA-2 for ISAKMP, e.g.:
crypto isakmp policy 10
hash sha256
However, the VPN tunnel will not establish.
Crypto debugs indicate that phase 1 fails with "ISAKMP : Unable to allocate IKE SA " on the responder.
Please note that this is expected behavior, since SHA-2 is not supported yet on the ASR1000. Please refer to CSCtn18426.
This bug serves to remove the CLI commands that are not yet supported.
Workaround:
Use SHA-1.