RE: SPA-IPSEC-2G

From: Scott M Vermillion (scott_ccie_list@it-ag.com)
Date: Wed Jan 28 2009 - 14:39:14 ARST

• Next message: Scott M Vermillion: "RE: SPA-IPSEC-2G"
• Previous message: Jared Scrivener: "RE: ip multicast rate-limit command"
• Maybe in reply to: Antonio Soares: "SPA-IPSEC-2G"
• Next in thread: Scott M Vermillion: "RE: SPA-IPSEC-2G"
• Messages sorted by: [ date ] [ thread ] [ subject ] [ author ] [ attachment ]

Hi Antonio,

What processor are you running?

Regards,

Scott

-----Original Message-----
From: nobody@groupstudy.com [mailto:nobody@groupstudy.com] On Behalf Of
Antonio Soares
Sent: Wednesday, January 28, 2009 5:44 AM
To: security@groupstudy.com
Cc: ccielab@groupstudy.com
Subject: SPA-IPSEC-2G

Hello group,

Need help troubleshooting this one. One 7600 was upgraded from 12.2.18SXE1
to 12.2.33SRB2 and now the SPA-IPSEC-2G is not encrypting
the traffic. In fact the module seems healthy but something is missing in
the outputs bellow:

------------------------------------------------------------------
7606#show crypto eli

Hardware Encryption : ACTIVE
 Number of hardware crypto engines = 1

 CryptoEngine SPA-IPSEC-2G[3/0] details: state = Active
 Capability :
     IPSEC: DES, 3DES, AES, RSA

 IKE-Session : 0 active, 16383 max, 0 failed
 DH : 0 active, 9999 max, 0 failed
 IPSec-Session : 0 active, 65534 max, 0 failed

------------------------------------------------------------------
7606#sh crypto en brief

        crypto engine name: Cisco VPN Software Implementation
        crypto engine type: software
             serial number: 00000000
       crypto engine state: installed
     crypto engine in slot: N/A
------------------------------------------------------------------
7606#sh crypto en conf

        crypto engine name: Cisco VPN Software Implementation
        crypto engine type: software
             serial number: xxxxxxxx
       crypto engine state: installed
     crypto engine in slot: N/A
                  platform: Cisco Software Crypto Engine

   Crypto Adjacency Counts:
                Lock Count: 0
              Unlock Count: 0
        crypto lib version: 18.0.0

7606#
------------------------------------------------------------------

What troubleshooting steps should i take ? The SPA is used to accelerate
IPSec Virtual Tunnel Interfaces (IPsec VTIs). Here's the
configuration of one tunnel interface:

!
interface Tunnelx
 ip unnumbered Loopbackx
 tunnel source x.x.x.x
 tunnel destination x.x.x.x
 tunnel mode ipsec ipv4
 tunnel protection ipsec profile CRYPTO-IPSEC-PROFILE
 crypto engine gre vpnblade
 crypto engine slot 3/0 inside
!

Thanks.

Regards,

Antonio Soares, CCIE #18473 (R&S)
amsoares@netcabo.pt

Blogs and organic groups at http://www.ccie.net

• Next message: Scott M Vermillion: "RE: SPA-IPSEC-2G"
• Previous message: Jared Scrivener: "RE: ip multicast rate-limit command"
• Maybe in reply to: Antonio Soares: "SPA-IPSEC-2G"
• Next in thread: Scott M Vermillion: "RE: SPA-IPSEC-2G"
• Messages sorted by: [ date ] [ thread ] [ subject ] [ author ] [ attachment ]

This archive was generated by hypermail 2.1.4 : Sun Mar 01 2009 - 09:43:40 ARST