Symptom
Device enters trouble state where it can no longer install new IPSec SAs. Debugs after the failure began occurring:
.Jul 20 14:43:17.578: ISAKMP-ERROR: (14965):IPSec Installation failed...
.Jul 20 14:43:17.578: ISAKMP-ERROR: (14965):deleting node 1039446135 error TRUE reason "IPSEC install failed"
The following may also be seen:
Jul 18 15:13:14: %FMFP-3-OBJ_DWNLD_TO_DP_STUCK: R0/0: fman_fp_image: AOM download of obj[53573] type[192] pending-issue Req-delete Issued-noneIPSEC: n2 sa 1.1.1.1.5353 to Data Plane is stuck for more than 1800 seconds
Jul 18 15:13:14: %FMFP-3-OBJ_DWNLD_TO_DP_STUCK: F0: fman_fp_image: AOM download of obj[53573] type[192] pending-issue Req-delete Issued-noneIPSEC: n2 sa 1.1.1.1.5353 to Data Plane is stuck for more than 1800 seconds
Jul 18 15:13:14: %FMFP-3-OBJ_DWNLD_TO_DP_STUCK: SIP0: fman_fp_image: AOM download of obj[53573] type[192] pending-issue Req-delete Issued-noneIPSEC: n2 sa 1.1.1.1.5353 to Data Plane is stuck for more than 1800 seconds
Conditions
VPN on ISR4k / ISR1k and CSR1000V.
Show CLI that checks the crypto accelerator software version is used several times.
Workaround
Reloading is the only known workaround.
Further Problem Description
The issue can be triggered by a "show" command that retrieves crypto accelerator software version - "show platform hardware crypto-device status". The command is included in "show tech" command, and is used in "show crypto engine accelerator statistic".
