Symptom
A leak in IPSec SA in-neg counter has been observed leading to %CRYPTO-4-IKE_DENY_SA_REQ.
The leak is observed in the "show crypto call admission statistics" output in section "Total IPSEC SA" and counter "negotiating".
------------------ show crypto call admission statistics ------------------
---------------------------------------------------------------------
Crypto Call Admission Control Statistics
---------------------------------------------------------------------
System Resource Limit: 0 Max IKE SAs: 0 Max in nego: 100
Total IKE SA Count: 200 active: 195 negotiating: 5
Incoming IKE Requests: 1111 accepted: 1111 rejected: 0
Outgoing IKE Requests: 5555 accepted: 5555 rejected: 0
Rejected IKE Requests: 0 rsrc low: 0 Active SA limit: 0
In-neg SA limit: 0
IKE packets dropped at dispatch: 0
Max IPSEC SAs: 0
Total IPSEC SA Count: 296 active: 196 negotiating: 100 <<<<<<<<<<<<<<<<<<<<<<<<<
Incoming IPSEC Requests: 555 accepted: 555 rejected: 0
Outgoing IPSEC Requests: 11111 accepted: 11111 rejected: 0
Phase1.5 SAs under negotiation: 0
Conditions
- Using the following CAC configuration: crypto call admission limit all in-negotiation-sa
- IKE + IPSec in-neg counters reach the defined threshold
Workaround
- use the "crypto call admission limit ike in-negotiation-sa " instead which will protect only at IKE level
Interim workaround:
- reload
- increase the CAC threshold
Further Problem Description
