From: Nitin Venugopal (nitinsworld@gmail.com)
Date: Wed Jan 28 2009 - 15:27:31 ARST
Hi Antonio,
You must be running the SPA in vrf mode?
Few options to try out
After enabling or disabling VRF mode using the [*no*] *crypto engine mode
vrf* command, you must reload the supervisor engine. In addition, MPLS
tunnel recirculation must be enabled for VRF mode. That is, you must add the
*mls mpls tunnel-recir* command before entering the *crypto engine
mode vrf*command.
On Wed, Jan 28, 2009 at 8:03 PM, Rohyans, Aaron <arohyans@dpsciences.com>wrote:
> Does the tunnel come up, but no traffic passes? There are a few things to
> try:
>
> 1. Disable the Crypto Accelerator and run in software mode to see if you
> can get the tunnels up and passing traffic. If yes, you may need to
> experiment with the settings on your Accelerator before re-enabling it (see
> option 2).
> 2. Try experimenting with different Phase 2 transforms. I've only seen an
> issue like this with ISRs on 12.4 using a VPN Accelerator, but essentially I
> couldn't run 3DES and had to either run AES or just DES before it would work
> - that or run in software mode.
>
> Hope this helps,
>
> Aaron T. Rohyans
> Senior Network Engineer
> CCIE #21945, CCSP, CCNA, CQS-Firewall, CQS-IDS, CQS-VPN, ISSP, CISP,
> JNCIA-ER
> DPSciences Corporation
> 7400 N. Shadeland Ave., Suite 245
> Indianapolis, IN 46250
> Office: (317) 849-6772 x 7626
> Fax: (317) 849-7134
> arohyans@dpsciences.com
> http://www.dpsciences.com/
>
>
> -----Original Message-----
> From: nobody@groupstudy.com [mailto:nobody@groupstudy.com] On Behalf Of
> Antonio Soares
> Sent: Wednesday, January 28, 2009 7:44 AM
> To: security@groupstudy.com
> Cc: ccielab@groupstudy.com
> Subject: SPA-IPSEC-2G
>
> Hello group,
>
> Need help troubleshooting this one. One 7600 was upgraded from 12.2.18SXE1
> to 12.2.33SRB2 and now the SPA-IPSEC-2G is not encrypting
> the traffic. In fact the module seems healthy but something is missing in
> the outputs bellow:
>
> ------------------------------------------------------------------
> 7606#show crypto eli
>
> Hardware Encryption : ACTIVE
> Number of hardware crypto engines = 1
>
> CryptoEngine SPA-IPSEC-2G[3/0] details: state = Active
> Capability :
> IPSEC: DES, 3DES, AES, RSA
>
> IKE-Session : 0 active, 16383 max, 0 failed
> DH : 0 active, 9999 max, 0 failed
> IPSec-Session : 0 active, 65534 max, 0 failed
>
> ------------------------------------------------------------------
> 7606#sh crypto en brief
>
> crypto engine name: Cisco VPN Software Implementation
> crypto engine type: software
> serial number: 00000000
> crypto engine state: installed
> crypto engine in slot: N/A
> ------------------------------------------------------------------
> 7606#sh crypto en conf
>
> crypto engine name: Cisco VPN Software Implementation
> crypto engine type: software
> serial number: xxxxxxxx
> crypto engine state: installed
> crypto engine in slot: N/A
> platform: Cisco Software Crypto Engine
>
> Crypto Adjacency Counts:
> Lock Count: 0
> Unlock Count: 0
> crypto lib version: 18.0.0
>
> 7606#
> ------------------------------------------------------------------
>
> What troubleshooting steps should i take ? The SPA is used to accelerate
> IPSec Virtual Tunnel Interfaces (IPsec VTIs). Here's the
> configuration of one tunnel interface:
>
> !
> interface Tunnelx
> ip unnumbered Loopbackx
> tunnel source x.x.x.x
> tunnel destination x.x.x.x
> tunnel mode ipsec ipv4
> tunnel protection ipsec profile CRYPTO-IPSEC-PROFILE
> crypto engine gre vpnblade
> crypto engine slot 3/0 inside
> !
>
>
> Thanks.
>
> Regards,
>
> Antonio Soares, CCIE #18473 (R&S)
> amsoares@netcabo.pt
>
>
> Blogs and organic groups at http://www.ccie.net
>
> _______________________________________________________________________
> Subscription information may be found at:
> http://www.groupstudy.com/list/CCIELab.html
Blogs and organic groups at http://www.ccie.net
This archive was generated by hypermail 2.1.4 : Sun Mar 01 2009 - 09:43:40 ARST