RE: SPA-IPSEC-2G

From: Scott M Vermillion (scott_ccie_list@it-ag.com)
Date: Wed Jan 28 2009 - 14:42:50 ARST

• Next message: Marijo Bernardic: "AW: CCIE Certified #23326"
• Previous message: Scott M Vermillion: "RE: SPA-IPSEC-2G"
• Maybe in reply to: Antonio Soares: "SPA-IPSEC-2G"
• Next in thread: Nitin Venugopal: "Re: SPA-IPSEC-2G"
• Messages sorted by: [ date ] [ thread ] [ subject ] [ author ] [ attachment ]

Sorry Antonio, I was just getting ready to send you a link when I realized
that you said you upgraded the code on the box and not the SPA itself. I'm
currently dealing with a client that wanted to upgrade their crypto modules
in their 7200s but their processors didn't support the upgrade.

Promise to read more carefully starting immediately after the next cup of
coffee!!

-----Original Message-----
From: Scott M Vermillion [mailto:scott_ccie_list@it-ag.com]
Sent: Wednesday, January 28, 2009 9:39 AM
To: 'Antonio Soares'; 'security@groupstudy.com'
Cc: 'ccielab@groupstudy.com'
Subject: RE: SPA-IPSEC-2G

Hi Antonio,

What processor are you running?

Regards,

Scott

-----Original Message-----
From: nobody@groupstudy.com [mailto:nobody@groupstudy.com] On Behalf Of
Antonio Soares
Sent: Wednesday, January 28, 2009 5:44 AM
To: security@groupstudy.com
Cc: ccielab@groupstudy.com
Subject: SPA-IPSEC-2G

Hello group,

Need help troubleshooting this one. One 7600 was upgraded from 12.2.18SXE1
to 12.2.33SRB2 and now the SPA-IPSEC-2G is not encrypting
the traffic. In fact the module seems healthy but something is missing in
the outputs bellow:

------------------------------------------------------------------
7606#show crypto eli

Hardware Encryption : ACTIVE
 Number of hardware crypto engines = 1

 CryptoEngine SPA-IPSEC-2G[3/0] details: state = Active
 Capability :
     IPSEC: DES, 3DES, AES, RSA

 IKE-Session : 0 active, 16383 max, 0 failed
 DH : 0 active, 9999 max, 0 failed
 IPSec-Session : 0 active, 65534 max, 0 failed

------------------------------------------------------------------
7606#sh crypto en brief

        crypto engine name: Cisco VPN Software Implementation
        crypto engine type: software
             serial number: 00000000
       crypto engine state: installed
     crypto engine in slot: N/A
------------------------------------------------------------------
7606#sh crypto en conf

        crypto engine name: Cisco VPN Software Implementation
        crypto engine type: software
             serial number: xxxxxxxx
       crypto engine state: installed
     crypto engine in slot: N/A
                  platform: Cisco Software Crypto Engine

   Crypto Adjacency Counts:
                Lock Count: 0
              Unlock Count: 0
        crypto lib version: 18.0.0

7606#
------------------------------------------------------------------

What troubleshooting steps should i take ? The SPA is used to accelerate
IPSec Virtual Tunnel Interfaces (IPsec VTIs). Here's the
configuration of one tunnel interface:

!
interface Tunnelx
 ip unnumbered Loopbackx
 tunnel source x.x.x.x
 tunnel destination x.x.x.x
 tunnel mode ipsec ipv4
 tunnel protection ipsec profile CRYPTO-IPSEC-PROFILE
 crypto engine gre vpnblade
 crypto engine slot 3/0 inside
!

Thanks.

Regards,

Antonio Soares, CCIE #18473 (R&S)
amsoares@netcabo.pt

Blogs and organic groups at http://www.ccie.net

• Next message: Marijo Bernardic: "AW: CCIE Certified #23326"
• Previous message: Scott M Vermillion: "RE: SPA-IPSEC-2G"
• Maybe in reply to: Antonio Soares: "SPA-IPSEC-2G"
• Next in thread: Nitin Venugopal: "Re: SPA-IPSEC-2G"
• Messages sorted by: [ date ] [ thread ] [ subject ] [ author ] [ attachment ]

This archive was generated by hypermail 2.1.4 : Sun Mar 01 2009 - 09:43:40 ARST