From: Michael Todd (michaeldtodd@comcast.net)
Date: Wed Jan 28 2009 - 20:11:14 ARST
PLEASE DON'T COPY ME ON YOUR EMAILS ANYMORE...
THANKS
On Jan 28, 2009, at 2:09 PM, Nitin Venugopal wrote:
> Does you show crypto eli show you any IKE or IPSEC sessions ?
>
>
> # show crypto eli
> Hardware Encryption Layer : ACTIVE
> Number of crypto engines = 1 .
> CryptoEngine-SPA-IPSEC-2G[5/0] (slot-5/0) details.
> Capability-IPSec : No-IPPCP, 3DES, AES, RSA
> IKE-Session : 34 active, 10921 max, 0 failed
> DH-Key : 0 active, 9999 max, 0 failed
> IPSec-Session : 196 active, 21842 max, 0 failed
>
> Does your #show crypto ipsec sa indiacte hardware encryption
>
> local ident (addr/mask/prot/port): (172.21.20.0/255.255.254.0/0/0)
> remote ident (addr/mask/prot/port): (172.25.107.0/255.255.255.0/0/0)
> current_peer: 172.30.10.87:500
> PERMIT, flags={origin_is_acl,}
> #pkts encaps: 4333138, #pkts encrypt: 4333138, #pkts digest:
> 4333138
> #pkts decaps: 3410511, #pkts decrypt: 3410511, #pkts verify:
> 3410511
> #pkts compressed: 0, #pkts decompressed: 0
> #pkts not compressed: 0, #pkts compr. failed: 0
> #pkts not decompressed: 0, #pkts decompress failed: 0
> #send errors 1, #recv errors 0
> local crypto endpt.: 172.30.1.65, remote crypto endpt.:
> 172.30.10.87
> path mtu 1500, media mtu 1500
> current outbound spi: AA2573C
> inbound esp sas:
> spi: 0x919A3457(2442802263)
> transform: esp-3des esp-sha-hmac ,
> in use settings ={Tunnel, }
> slot/subslot: 5/0, conn id: 11037, flow_id: 114, crypto map:
> mbank
> crypto engine type: Hardware, engine_id: 2
> sa timing: remaining key lifetime (k/sec): (205245/2336)
> ike_cookies: A54055D1 12D8A90E 2E1AA3AE 499E095D
> IV size: 8 bytes
> replay detection support: Y
> inbound ah sas:
> inbound pcp sas:
> outbound esp sas:
> spi: 0xAA2573C(178411324)
> transform: esp-3des esp-sha-hmac ,
> in use settings ={Tunnel, }
> slot/subslot: 5/0, conn id: 11038, flow_id: 115, crypto map:
> mbank
> crypto engine type: Hardware, engine_id: 2
> sa timing: remaining key lifetime (k/sec): (205249/2336)
> ike_cookies: A54055D1 12D8A90E 2E1AA3AE 499E095D
> IV size: 8 bytes
> replay detection support: Y
> outbound ah sas:
> outbound pcp sas:
>
> I have a feeling , your SPA module is working but there are some other
> issues causing drops. Also as per my understanding once you have SPA
> module
> on your 7600 ...Software based encryption no more works. ( you can
> try with
> a normal ipsec with no crypto slot commands- It doesn't work)
>
> Can you share the output of command show crypto sessions?
>
> Best Regrds
> Nithin
>
>
> On Wed, Jan 28, 2009 at 9:53 PM, Antonio Soares
> <amsoares@netcabo.pt> wrote:
>
>> When IPSec VTI is enabled, the response times are very high and
>> with some
>> drops. This was not seen with the previous IOS release. So
>> we are assuming that hardware encryption is not taking place. But i
>> need
>> some commands to verify what is really going on with the
>> SPA-IPSEC.
>>
>> The "show crypto eli" shows me that the SPA-IPSEC is "ACTIVE".
>>
>> But the "show crypto engine brief" and "show crypto engine
>> configuration"
>> do not show anything related with the SPA. So i really
>> don't know if the SPA is doing its job or not.
>>
>> So now as an workaround, we have reconfigured all tunnel interfaces
>> as
>> regular GRE tunnels.
>>
>> Trying to answer some offline replies i received:
>>
>> 1) We have "VPNs in Crypto Connect Alternative Mode (CCA)":
>>
>>
>> http://www.cisco.com/en/US/docs/interfaces_modules/shared_port_adapters/configuration/7600series/76cfvpn1.html#wp2494175
>>
>> 2) This configuration is supported with the hw/sw combination we have
>> (12.2.33SRB2+SUP720-3B).
>>
>> 3) The "show module" and "show diag" outputs don't show any
>> problems with
>> the SSC-400 and SPA-IPSEC.
>>
>>
>> Thanks.
>>
>> Regards,
>>
>> Antonio Soares, CCIE #18473 (R&S)
>> amsoares@netcabo.pt
>>
>> -----Original Message-----
>> From: Rohyans, Aaron [mailto:arohyans@dpsciences.com]
>> Sent: quarta-feira, 28 de Janeiro de 2009 16:04
>> To: Antonio Soares; security@groupstudy.com
>> Cc: ccielab@groupstudy.com
>> Subject: RE: SPA-IPSEC-2G
>>
>> Does the tunnel come up, but no traffic passes? There are a few
>> things to
>> try:
>>
>> 1. Disable the Crypto Accelerator and run in software mode to see
>> if you
>> can get the tunnels up and passing traffic. If yes, you
>> may need to experiment with the settings on your Accelerator before
>> re-enabling it (see option 2).
>> 2. Try experimenting with different Phase 2 transforms. I've only
>> seen an
>> issue like this with ISRs on 12.4 using a VPN
>> Accelerator, but essentially I couldn't run 3DES and had to either
>> run AES
>> or just DES before it would work - that or run in
>> software mode.
>>
>> Hope this helps,
>>
>> Aaron T. Rohyans
>> Senior Network Engineer
>> CCIE #21945, CCSP, CCNA, CQS-Firewall, CQS-IDS, CQS-VPN, ISSP, CISP,
>> JNCIA-ER DPSciences Corporation 7400 N. Shadeland Ave., Suite
>> 245 Indianapolis, IN 46250
>> Office: (317) 849-6772 x 7626
>> Fax: (317) 849-7134
>> arohyans@dpsciences.com
>> http://www.dpsciences.com/
>>
>>
>> -----Original Message-----
>> From: nobody@groupstudy.com [mailto:nobody@groupstudy.com] On
>> Behalf Of
>> Antonio Soares
>> Sent: Wednesday, January 28, 2009 7:44 AM
>> To: security@groupstudy.com
>> Cc: ccielab@groupstudy.com
>> Subject: SPA-IPSEC-2G
>>
>> Hello group,
>>
>> Need help troubleshooting this one. One 7600 was upgraded from
>> 12.2.18SXE1
>> to 12.2.33SRB2 and now the SPA-IPSEC-2G is not encrypting
>> the traffic. In fact the module seems healthy but something is
>> missing in
>> the outputs bellow:
>>
>> ------------------------------------------------------------------
>> 7606#show crypto eli
>>
>> Hardware Encryption : ACTIVE
>> Number of hardware crypto engines = 1
>>
>> CryptoEngine SPA-IPSEC-2G[3/0] details: state = Active
>> Capability :
>> IPSEC: DES, 3DES, AES, RSA
>>
>> IKE-Session : 0 active, 16383 max, 0 failed
>> DH : 0 active, 9999 max, 0 failed
>> IPSec-Session : 0 active, 65534 max, 0 failed
>>
>> ------------------------------------------------------------------
>> 7606#sh crypto en brief
>>
>> crypto engine name: Cisco VPN Software Implementation
>> crypto engine type: software
>> serial number: 00000000
>> crypto engine state: installed
>> crypto engine in slot: N/A
>> ------------------------------------------------------------------
>> 7606#sh crypto en conf
>>
>> crypto engine name: Cisco VPN Software Implementation
>> crypto engine type: software
>> serial number: xxxxxxxx
>> crypto engine state: installed
>> crypto engine in slot: N/A
>> platform: Cisco Software Crypto Engine
>>
>> Crypto Adjacency Counts:
>> Lock Count: 0
>> Unlock Count: 0
>> crypto lib version: 18.0.0
>>
>> 7606#
>> ------------------------------------------------------------------
>>
>> What troubleshooting steps should i take ? The SPA is used to
>> accelerate
>> IPSec Virtual Tunnel Interfaces (IPsec VTIs). Here's the
>> configuration of one tunnel interface:
>>
>> !
>> interface Tunnelx
>> ip unnumbered Loopbackx
>> tunnel source x.x.x.x
>> tunnel destination x.x.x.x
>> tunnel mode ipsec ipv4
>> tunnel protection ipsec profile CRYPTO-IPSEC-PROFILE crypto engine
>> gre
>> vpnblade crypto engine slot 3/0 inside !
>>
>>
>> Thanks.
>>
>> Regards,
>>
>> Antonio Soares, CCIE #18473 (R&S)
>> amsoares@netcabo.pt
>>
>>
>> Blogs and organic groups at http://www.ccie.net
>>
>> _______________________________________________________________________
>> Subscription information may be found at:
>> http://www.groupstudy.com/list/CCIELab.html
Blogs and organic groups at http://www.ccie.net
This archive was generated by hypermail 2.1.4 : Sun Mar 01 2009 - 09:43:40 ARST