OPERATIONAL DEFECT DATABASE
...
...
A leak in IPSec SA in-neg counter has been observed leading to %CRYPTO-4-IKE_DENY_SA_REQ. The leak is observed in the "show crypto call admission statistics" output in section "Total IPSEC SA" and counter "negotiating". ------------------ show crypto call admission statistics ------------------ --------------------------------------------------------------------- Crypto Call Admission Control Statistics --------------------------------------------------------------------- System Resource Limit: 0 Max IKE SAs: 0 Max in nego: 100 Total IKE SA Count: 200 active: 195 negotiating: 5 Incoming IKE Requests: 1111 accepted: 1111 rejected: 0 Outgoing IKE Requests: 5555 accepted: 5555 rejected: 0 Rejected IKE Requests: 0 rsrc low: 0 Active SA limit: 0 In-neg SA limit: 0 IKE packets dropped at dispatch: 0 Max IPSEC SAs: 0 Total IPSEC SA Count: 296 active: 196 negotiating: 100 <<<<<<<<<<<<<<<<<<<<<<<<< Incoming IPSEC Requests: 555 accepted: 555 rejected: 0 Outgoing IPSEC Requests: 11111 accepted: 11111 rejected: 0 Phase1.5 SAs under negotiation: 0
- Using the following CAC configuration: crypto call admission limit all in-negotiation-sa - IKE + IPSec in-neg counters reach the defined threshold
- use the "crypto call admission limit ike in-negotiation-sa " instead which will protect only at IKE level Interim workaround: - reload - increase the CAC threshold
Click on a version to see all relevant bugs
Cisco Integration
Learn more about where this data comes from
Bug Scrub Advisor
Streamline upgrades with automated vendor bug scrubs
BugZero Enterprise
Wish you caught this bug sooner? Get proactive today.
