From: Nitin Venugopal (nitinsworld@gmail.com)
Date: Wed Jan 28 2009 - 17:09:33 ARST
Does you show crypto eli show you any IKE or IPSEC sessions ?
# show crypto eli
Hardware Encryption Layer : ACTIVE
Number of crypto engines = 1 .
CryptoEngine-SPA-IPSEC-2G[5/0] (slot-5/0) details.
Capability-IPSec : No-IPPCP, 3DES, AES, RSA
IKE-Session : 34 active, 10921 max, 0 failed
DH-Key : 0 active, 9999 max, 0 failed
IPSec-Session : 196 active, 21842 max, 0 failed
Does your #show crypto ipsec sa indiacte hardware encryption
local ident (addr/mask/prot/port): (172.21.20.0/255.255.254.0/0/0)
remote ident (addr/mask/prot/port): (172.25.107.0/255.255.255.0/0/0)
current_peer: 172.30.10.87:500
PERMIT, flags={origin_is_acl,}
#pkts encaps: 4333138, #pkts encrypt: 4333138, #pkts digest: 4333138
#pkts decaps: 3410511, #pkts decrypt: 3410511, #pkts verify: 3410511
#pkts compressed: 0, #pkts decompressed: 0
#pkts not compressed: 0, #pkts compr. failed: 0
#pkts not decompressed: 0, #pkts decompress failed: 0
#send errors 1, #recv errors 0
local crypto endpt.: 172.30.1.65, remote crypto endpt.: 172.30.10.87
path mtu 1500, media mtu 1500
current outbound spi: AA2573C
inbound esp sas:
spi: 0x919A3457(2442802263)
transform: esp-3des esp-sha-hmac ,
in use settings ={Tunnel, }
slot/subslot: 5/0, conn id: 11037, flow_id: 114, crypto map: mbank
crypto engine type: Hardware, engine_id: 2
sa timing: remaining key lifetime (k/sec): (205245/2336)
ike_cookies: A54055D1 12D8A90E 2E1AA3AE 499E095D
IV size: 8 bytes
replay detection support: Y
inbound ah sas:
inbound pcp sas:
outbound esp sas:
spi: 0xAA2573C(178411324)
transform: esp-3des esp-sha-hmac ,
in use settings ={Tunnel, }
slot/subslot: 5/0, conn id: 11038, flow_id: 115, crypto map: mbank
crypto engine type: Hardware, engine_id: 2
sa timing: remaining key lifetime (k/sec): (205249/2336)
ike_cookies: A54055D1 12D8A90E 2E1AA3AE 499E095D
IV size: 8 bytes
replay detection support: Y
outbound ah sas:
outbound pcp sas:
I have a feeling , your SPA module is working but there are some other
issues causing drops. Also as per my understanding once you have SPA module
on your 7600 ...Software based encryption no more works. ( you can try with
a normal ipsec with no crypto slot commands- It doesn't work)
Can you share the output of command show crypto sessions?
Best Regrds
Nithin
On Wed, Jan 28, 2009 at 9:53 PM, Antonio Soares <amsoares@netcabo.pt> wrote:
> When IPSec VTI is enabled, the response times are very high and with some
> drops. This was not seen with the previous IOS release. So
> we are assuming that hardware encryption is not taking place. But i need
> some commands to verify what is really going on with the
> SPA-IPSEC.
>
> The "show crypto eli" shows me that the SPA-IPSEC is "ACTIVE".
>
> But the "show crypto engine brief" and "show crypto engine configuration"
> do not show anything related with the SPA. So i really
> don't know if the SPA is doing its job or not.
>
> So now as an workaround, we have reconfigured all tunnel interfaces as
> regular GRE tunnels.
>
> Trying to answer some offline replies i received:
>
> 1) We have "VPNs in Crypto Connect Alternative Mode (CCA)":
>
>
> http://www.cisco.com/en/US/docs/interfaces_modules/shared_port_adapters/configuration/7600series/76cfvpn1.html#wp2494175
>
> 2) This configuration is supported with the hw/sw combination we have
> (12.2.33SRB2+SUP720-3B).
>
> 3) The "show module" and "show diag" outputs don't show any problems with
> the SSC-400 and SPA-IPSEC.
>
>
> Thanks.
>
> Regards,
>
> Antonio Soares, CCIE #18473 (R&S)
> amsoares@netcabo.pt
>
> -----Original Message-----
> From: Rohyans, Aaron [mailto:arohyans@dpsciences.com]
> Sent: quarta-feira, 28 de Janeiro de 2009 16:04
> To: Antonio Soares; security@groupstudy.com
> Cc: ccielab@groupstudy.com
> Subject: RE: SPA-IPSEC-2G
>
> Does the tunnel come up, but no traffic passes? There are a few things to
> try:
>
> 1. Disable the Crypto Accelerator and run in software mode to see if you
> can get the tunnels up and passing traffic. If yes, you
> may need to experiment with the settings on your Accelerator before
> re-enabling it (see option 2).
> 2. Try experimenting with different Phase 2 transforms. I've only seen an
> issue like this with ISRs on 12.4 using a VPN
> Accelerator, but essentially I couldn't run 3DES and had to either run AES
> or just DES before it would work - that or run in
> software mode.
>
> Hope this helps,
>
> Aaron T. Rohyans
> Senior Network Engineer
> CCIE #21945, CCSP, CCNA, CQS-Firewall, CQS-IDS, CQS-VPN, ISSP, CISP,
> JNCIA-ER DPSciences Corporation 7400 N. Shadeland Ave., Suite
> 245 Indianapolis, IN 46250
> Office: (317) 849-6772 x 7626
> Fax: (317) 849-7134
> arohyans@dpsciences.com
> http://www.dpsciences.com/
>
>
> -----Original Message-----
> From: nobody@groupstudy.com [mailto:nobody@groupstudy.com] On Behalf Of
> Antonio Soares
> Sent: Wednesday, January 28, 2009 7:44 AM
> To: security@groupstudy.com
> Cc: ccielab@groupstudy.com
> Subject: SPA-IPSEC-2G
>
> Hello group,
>
> Need help troubleshooting this one. One 7600 was upgraded from 12.2.18SXE1
> to 12.2.33SRB2 and now the SPA-IPSEC-2G is not encrypting
> the traffic. In fact the module seems healthy but something is missing in
> the outputs bellow:
>
> ------------------------------------------------------------------
> 7606#show crypto eli
>
> Hardware Encryption : ACTIVE
> Number of hardware crypto engines = 1
>
> CryptoEngine SPA-IPSEC-2G[3/0] details: state = Active
> Capability :
> IPSEC: DES, 3DES, AES, RSA
>
> IKE-Session : 0 active, 16383 max, 0 failed
> DH : 0 active, 9999 max, 0 failed
> IPSec-Session : 0 active, 65534 max, 0 failed
>
> ------------------------------------------------------------------
> 7606#sh crypto en brief
>
> crypto engine name: Cisco VPN Software Implementation
> crypto engine type: software
> serial number: 00000000
> crypto engine state: installed
> crypto engine in slot: N/A
> ------------------------------------------------------------------
> 7606#sh crypto en conf
>
> crypto engine name: Cisco VPN Software Implementation
> crypto engine type: software
> serial number: xxxxxxxx
> crypto engine state: installed
> crypto engine in slot: N/A
> platform: Cisco Software Crypto Engine
>
> Crypto Adjacency Counts:
> Lock Count: 0
> Unlock Count: 0
> crypto lib version: 18.0.0
>
> 7606#
> ------------------------------------------------------------------
>
> What troubleshooting steps should i take ? The SPA is used to accelerate
> IPSec Virtual Tunnel Interfaces (IPsec VTIs). Here's the
> configuration of one tunnel interface:
>
> !
> interface Tunnelx
> ip unnumbered Loopbackx
> tunnel source x.x.x.x
> tunnel destination x.x.x.x
> tunnel mode ipsec ipv4
> tunnel protection ipsec profile CRYPTO-IPSEC-PROFILE crypto engine gre
> vpnblade crypto engine slot 3/0 inside !
>
>
> Thanks.
>
> Regards,
>
> Antonio Soares, CCIE #18473 (R&S)
> amsoares@netcabo.pt
>
>
> Blogs and organic groups at http://www.ccie.net
>
> _______________________________________________________________________
> Subscription information may be found at:
> http://www.groupstudy.com/list/CCIELab.html
Blogs and organic groups at http://www.ccie.net
This archive was generated by hypermail 2.1.4 : Sun Mar 01 2009 - 09:43:40 ARST