Cisco ASA IKEv2 – ‘Failed To Allocate Memory’

KB ID 0001218 

Problem

This week I was trying to get a VPN tunnel up for a client. They wanted a tunnel from their Cisco ASA into Microsoft Azure. Normally I’d use IKEv1 (because I know how to troubleshoot it!) But the guys running the site in Azure were using policy routing, which needs IKEv2.

So I converted from IKEv2 to IKEv2. As I said I’m used to debugging IKEv1, but not IKEv2, so I was struggling to make sense of what was going on. The ‘interesting traffic’ was spawning a LOT of phase 1 tunnels, but Phase 2 IPSEC refused to pass traffic.

Clients-ASA(config)# show cry isa

There are no IKEv1 SAs

IKEv2 SAs:

Session-id:151, Status:UP-IDLE, IKE count:25, CHILD count:0

Tunnel-id                 Local                Remote     Status         Role
526939783    222.222.222.222/500     123.123.123.123/500      READY    RESPONDER
      Encr: 3DES, Hash: SHA96, DH Grp:2, Auth sign: PSK, Auth verify: PSK
      Life/Active Time: 86400/4423 sec

Tunnel-id                 Local                Remote     Status         Role
3227575251    222.222.222.222/500     123.123.123.123/500      READY    RESPONDER
      Encr: 3DES, Hash: SHA96, DH Grp:2, Auth sign: PSK, Auth verify: PSK
      Life/Active Time: 86400/4425 sec

Tunnel-id                 Local                Remote     Status         Role
3073641799    222.222.222.222/500     123.123.123.123/500      READY    RESPONDER
      Encr: 3DES, Hash: SHA96, DH Grp:2, Auth sign: PSK, Auth verify: PSK
      Life/Active Time: 86400/4482 sec
-----------------Further Output Removed for the Sake of Brevity------------------

 

A debug of IKEv2 was pretty confusing but it did reveal this;

Decrypted packet:Data: 616 bytes
IKEv2-PROTO-1: Failed to allocate memory
IKEv2-PROTO-1:
IKEv2-PROTO-5: SM Trace-> SA: I_SPI=E212F1C2B09EC680 R_SPI=6F2FE9A86EEDB017 (R) MsgID = 00000000 CurState: IDLE Event: EV_DELETE
IKEv2-PROTO-5: Action: Action_Null
IKEv2-PROTO-5: SM Trace-> SA: I_SPI=E212F1C2B09EC680 R_SPI=6F2FE9A86EEDB017 (R) MsgID = 00000000 CurState: EXIT Event: EV_ABORT
IKEv2-PROTO-5: SM Trace-> SA: I_SPI=E212F1C2B09EC680 R_SPI=6F2FE9A86EEDB017 (R) MsgID = 00000000 CurState: EXIT Event: EV_CHK_PENDING_ABORT
IKEv2-PROTO-5: SM Trace-> SA: I_SPI=E212F1C2B09EC680 R_SPI=6F2FE9A86EEDB017 (R) MsgID = 00000000 CurState: EXIT Event: EV_UPDATE_CAC_STATS
IKEv2-PROTO-3: Abort exchange
IKEv2-PROTO-2: Deleting SA
IKEv2-PROTO-3: Rx [L 222.222.222.222:500/R 123.123.123.123:500/VRF i0:f0] m_id: 0x0
IKEv2-PROTO-3: HDR[i:E212F1C2B09EC680 - r: 0000000000000000]
IKEv2-PROTO-4: IKEV2 HDR ispi: E212F1C2B09EC680 - rspi: 0000000000000000
IKEv2-PROTO-4: Next payload: SA, version: 2.0
IKEv2-PROTO-4: Exchange type: IKE_SA_INIT, flags: INITIATOR
IKEv2-PROTO-4: Message id: 0x0, length: 616

Solution

The ASA was running version 8.4(6) which is not listed as being affected by this bug

ASA IKEv2 fails to accept incoming IKEV2 connections
CSCud50997
 
But that’s what the problem was, upgrade to 9.2(4) and the tunnel came straight up without error.

 

(Related Articles, References, Credits, or External Links

NA

Author: PeteLong

Share This Post On

3 Comments

  1. It would appear I am seeing this same issue on 9.1(2).

    Post a Reply
  2. Funny, there’s a similar error message in Classic IOS 15.5(3)M10:

    %IKEV2-3-NEG_ABORT: Negotiation aborted due to ERROR: Failed to allocate memory

    I had already configured several IKEv2 VPNs without issue but didn’t see this until trying to connect to a CheckPoint R80.30 cluster. From what I can tell, this essentially means the IKEv2 Phase 1 SA is good, but the other side is having trouble bringing up Phase 2.

    This message has absolutely nothing to do with Memory or RAM, etc.

    Post a Reply
    • Thanks for the feedback John, I’ll post it here in case I grab any IOS related traffic 🙂

      P

      Post a Reply

Leave a Reply to PeteLong Cancel reply

Your email address will not be published. Required fields are marked *