From: Antonio Soares (amsoares@netcabo.pt)
Date: Wed Jan 28 2009 - 15:53:00 ARST
When IPSec VTI is enabled, the response times are very high and with some drops. This was not seen with the previous IOS release. So
we are assuming that hardware encryption is not taking place. But i need some commands to verify what is really going on with the
SPA-IPSEC.
The "show crypto eli" shows me that the SPA-IPSEC is "ACTIVE".
But the "show crypto engine brief" and "show crypto engine configuration" do not show anything related with the SPA. So i really
don't know if the SPA is doing its job or not.
So now as an workaround, we have reconfigured all tunnel interfaces as regular GRE tunnels.
Trying to answer some offline replies i received:
1) We have "VPNs in Crypto Connect Alternative Mode (CCA)":
2) This configuration is supported with the hw/sw combination we have (12.2.33SRB2+SUP720-3B).
3) The "show module" and "show diag" outputs don't show any problems with the SSC-400 and SPA-IPSEC.
Thanks.
Regards,
Antonio Soares, CCIE #18473 (R&S)
amsoares@netcabo.pt
-----Original Message-----
From: Rohyans, Aaron [mailto:arohyans@dpsciences.com]
Sent: quarta-feira, 28 de Janeiro de 2009 16:04
To: Antonio Soares; security@groupstudy.com
Cc: ccielab@groupstudy.com
Subject: RE: SPA-IPSEC-2G
Does the tunnel come up, but no traffic passes? There are a few things to try:
1. Disable the Crypto Accelerator and run in software mode to see if you can get the tunnels up and passing traffic. If yes, you
may need to experiment with the settings on your Accelerator before re-enabling it (see option 2).
2. Try experimenting with different Phase 2 transforms. I've only seen an issue like this with ISRs on 12.4 using a VPN
Accelerator, but essentially I couldn't run 3DES and had to either run AES or just DES before it would work - that or run in
software mode.
Hope this helps,
Aaron T. Rohyans
Senior Network Engineer
CCIE #21945, CCSP, CCNA, CQS-Firewall, CQS-IDS, CQS-VPN, ISSP, CISP, JNCIA-ER DPSciences Corporation 7400 N. Shadeland Ave., Suite
245 Indianapolis, IN 46250
Office: (317) 849-6772 x 7626
Fax: (317) 849-7134
arohyans@dpsciences.com
http://www.dpsciences.com/
-----Original Message-----
From: nobody@groupstudy.com [mailto:nobody@groupstudy.com] On Behalf Of Antonio Soares
Sent: Wednesday, January 28, 2009 7:44 AM
To: security@groupstudy.com
Cc: ccielab@groupstudy.com
Subject: SPA-IPSEC-2G
Hello group,
Need help troubleshooting this one. One 7600 was upgraded from 12.2.18SXE1 to 12.2.33SRB2 and now the SPA-IPSEC-2G is not encrypting
the traffic. In fact the module seems healthy but something is missing in the outputs bellow:
------------------------------------------------------------------
7606#show crypto eli
Hardware Encryption : ACTIVE
Number of hardware crypto engines = 1
CryptoEngine SPA-IPSEC-2G[3/0] details: state = Active
Capability :
IPSEC: DES, 3DES, AES, RSA
IKE-Session : 0 active, 16383 max, 0 failed
DH : 0 active, 9999 max, 0 failed
IPSec-Session : 0 active, 65534 max, 0 failed
------------------------------------------------------------------
7606#sh crypto en brief
crypto engine name: Cisco VPN Software Implementation
crypto engine type: software
serial number: 00000000
crypto engine state: installed
crypto engine in slot: N/A
------------------------------------------------------------------
7606#sh crypto en conf
crypto engine name: Cisco VPN Software Implementation
crypto engine type: software
serial number: xxxxxxxx
crypto engine state: installed
crypto engine in slot: N/A
platform: Cisco Software Crypto Engine
Crypto Adjacency Counts:
Lock Count: 0
Unlock Count: 0
crypto lib version: 18.0.0
7606#
------------------------------------------------------------------
What troubleshooting steps should i take ? The SPA is used to accelerate IPSec Virtual Tunnel Interfaces (IPsec VTIs). Here's the
configuration of one tunnel interface:
!
interface Tunnelx
ip unnumbered Loopbackx
tunnel source x.x.x.x
tunnel destination x.x.x.x
tunnel mode ipsec ipv4
tunnel protection ipsec profile CRYPTO-IPSEC-PROFILE crypto engine gre vpnblade crypto engine slot 3/0 inside !
Thanks.
Regards,
Antonio Soares, CCIE #18473 (R&S)
amsoares@netcabo.pt
Blogs and organic groups at http://www.ccie.net
This archive was generated by hypermail 2.1.4 : Sun Mar 01 2009 - 09:43:40 ARST