From: Rohyans, Aaron (arohyans@dpsciences.com)
Date: Wed Jan 28 2009 - 14:03:53 ARST
Does the tunnel come up, but no traffic passes? There are a few things to try:
1. Disable the Crypto Accelerator and run in software mode to see if you can get the tunnels up and passing traffic. If yes, you may need to experiment with the settings on your Accelerator before re-enabling it (see option 2).
2. Try experimenting with different Phase 2 transforms. I've only seen an issue like this with ISRs on 12.4 using a VPN Accelerator, but essentially I couldn't run 3DES and had to either run AES or just DES before it would work - that or run in software mode.
Hope this helps,
Aaron T. Rohyans
Senior Network Engineer
CCIE #21945, CCSP, CCNA, CQS-Firewall, CQS-IDS, CQS-VPN, ISSP, CISP, JNCIA-ER
DPSciences Corporation
7400 N. Shadeland Ave., Suite 245
Indianapolis, IN 46250
Office: (317) 849-6772 x 7626
Fax: (317) 849-7134
arohyans@dpsciences.com
http://www.dpsciences.com/
-----Original Message-----
From: nobody@groupstudy.com [mailto:nobody@groupstudy.com] On Behalf Of Antonio Soares
Sent: Wednesday, January 28, 2009 7:44 AM
To: security@groupstudy.com
Cc: ccielab@groupstudy.com
Subject: SPA-IPSEC-2G
Hello group,
Need help troubleshooting this one. One 7600 was upgraded from 12.2.18SXE1 to 12.2.33SRB2 and now the SPA-IPSEC-2G is not encrypting
the traffic. In fact the module seems healthy but something is missing in the outputs bellow:
------------------------------------------------------------------
7606#show crypto eli
Hardware Encryption : ACTIVE
Number of hardware crypto engines = 1
CryptoEngine SPA-IPSEC-2G[3/0] details: state = Active
Capability :
IPSEC: DES, 3DES, AES, RSA
IKE-Session : 0 active, 16383 max, 0 failed
DH : 0 active, 9999 max, 0 failed
IPSec-Session : 0 active, 65534 max, 0 failed
------------------------------------------------------------------
7606#sh crypto en brief
crypto engine name: Cisco VPN Software Implementation
crypto engine type: software
serial number: 00000000
crypto engine state: installed
crypto engine in slot: N/A
------------------------------------------------------------------
7606#sh crypto en conf
crypto engine name: Cisco VPN Software Implementation
crypto engine type: software
serial number: xxxxxxxx
crypto engine state: installed
crypto engine in slot: N/A
platform: Cisco Software Crypto Engine
Crypto Adjacency Counts:
Lock Count: 0
Unlock Count: 0
crypto lib version: 18.0.0
7606#
------------------------------------------------------------------
What troubleshooting steps should i take ? The SPA is used to accelerate IPSec Virtual Tunnel Interfaces (IPsec VTIs). Here's the
configuration of one tunnel interface:
!
interface Tunnelx
ip unnumbered Loopbackx
tunnel source x.x.x.x
tunnel destination x.x.x.x
tunnel mode ipsec ipv4
tunnel protection ipsec profile CRYPTO-IPSEC-PROFILE
crypto engine gre vpnblade
crypto engine slot 3/0 inside
!
Thanks.
Regards,
Antonio Soares, CCIE #18473 (R&S)
amsoares@netcabo.pt
Blogs and organic groups at http://www.ccie.net
This archive was generated by hypermail 2.1.4 : Sun Mar 01 2009 - 09:43:40 ARST