Guest

Preview Tool

Cisco Bug: CSCvv34140 - ASA IKEv2 VTI - Failed to request SPI from CTM as responder

Last Modified

Oct 06, 2020

Products (1)

  • Cisco ASA 5500-X Series Firewalls

Known Affected Releases

9.12(4) 9.8(4.10)

Description (partial)

Symptom:
After a certain amount of time, that could vary for every environment depending on the amount of VTI tunnels and how frequent they drop and reestablish due to vpn-idle-timeout setting, ASA starts rejecting new negotiations for some of the original tunnels that used to be up. ASA will keep negotiating tunnels but not all of them will be able to stay up simultaneously. 

Below symptoms can be observed when in the failed

Conditions:
1. IKEv2 debugs show:

   Failed to request SPI from CTM as responder, outstanding 0, status 255 <<<<----------

2. IPSEC debugs show:

   %ASA-7-711001: IPSEC ERROR: Failed to allocate an inbound hardware context (rc: 0xFFFFFFFF), ctm_nlite_ipsec_alloc_hw_ibsa:91 <<<<----------
   %ASA-7-711001: IPSEC ERROR: Failed to generate a new SPI <<<<----------
   %ASA-7-711001: IPSEC ERROR: Failed to create an inbound SA, SPI:0xAB16FC90 <<<<----------
   <omitted output>
   %ASA-7-711001: IPSEC ERROR: Failed to complete the GETSPI command from IKE <<<<----------

3. "debug menu ikev2 13 0" shows " PFKEY GETSPI failures " counter increasing:

   ---------- IKEv2 Errors ------------------
   Child SA rekey initiate failure: 0
   PFKEY GETSPI failures: 395 <<<-------------
   <omitted output>

4. Below "show counters" counters start increasing:

   IPSEC IB_CONTEXT_ALLOC_FAILED 3 Summary <<<----------
   IPSEC OB_CONTEXT_ALLOC_FAILED 10 Summary <<<----------
   IPSEC OUT_SA_CLEANUP 10 Summary <<<----------
   IPSEC HW_SA_CREATION_FAILURE 10 Summary <<<----------
   IPSEC IB_SA_DEL_PRE_DB_ADD 3 Summary <<<----------
   IPSEC COULDNT_GET_SPI 3 Summary <<<----------

5. Syslog ID 602305 gets generated:

	%ASA-3-602305: IPSEC: SA creation error, source A.A.A.A, destination B.B.B.B, reason hw SPI gen error.

Conditions:
ASA with IKEv2 VTIs
vpn-idle-timeout setting being applied to IKEv2 VTI VPN sessions
Bug details contain sensitive information and therefore require a Cisco.com account to be viewed.

Bug Details Include

  • Full Description (including symptoms, conditions and workarounds)
  • Status
  • Severity
  • Known Fixed Releases
  • Related Community Discussions
  • Number of Related Support Cases
Bug information is viewable for customers and partners who have a service contract. Registered users can view up to 200 bugs per month without a service contract.