From: Antonio Soares (amsoares@netcabo.pt)
Date: Thu Jan 29 2009 - 08:42:02 ARST
Yes, we configured one tunnel again and i have this "show crypto eli" output:
---------------------------------------------------------
Hardware Encryption : ACTIVE
Number of hardware crypto engines = 1
CryptoEngine SPA-IPSEC-2G[3/0] details: state = Active
Capability :
IPSEC: DES, 3DES, AES, RSA
IKE-Session : 1 active, 16383 max, 0 failed
DH : 0 active, 9999 max, 0 failed
IPSec-Session : 2 active, 65534 max, 0 failed
---------------------------------------------------------
So this should mean hw encryption is taking place. But why the "show crypto engine brief" and "show crypto engine configuration" do
not show anything related with the SPA ? I will try to get some more outputs but i agree with you: the issue is something else other
than a problem with the SPA.
Thanks.
Regards,
Antonio Soares, CCIE #18473 (R&S)
amsoares@netcabo.pt
-----Original Message-----
From: nobody@groupstudy.com [mailto:nobody@groupstudy.com] On Behalf Of Nitin Venugopal
Sent: quarta-feira, 28 de Janeiro de 2009 19:10
To: Antonio Soares
Cc: Rohyans, Aaron; security@groupstudy.com; ccielab@groupstudy.com
Subject: Re: SPA-IPSEC-2G
Does you show crypto eli show you any IKE or IPSEC sessions ?
# show crypto eli
Hardware Encryption Layer : ACTIVE
Number of crypto engines = 1 .
CryptoEngine-SPA-IPSEC-2G[5/0] (slot-5/0) details.
Capability-IPSec : No-IPPCP, 3DES, AES, RSA
IKE-Session : 34 active, 10921 max, 0 failed
DH-Key : 0 active, 9999 max, 0 failed
IPSec-Session : 196 active, 21842 max, 0 failed
Does your #show crypto ipsec sa indiacte hardware encryption
local ident (addr/mask/prot/port): (172.21.20.0/255.255.254.0/0/0)
remote ident (addr/mask/prot/port): (172.25.107.0/255.255.255.0/0/0)
current_peer: 172.30.10.87:500
PERMIT, flags={origin_is_acl,}
#pkts encaps: 4333138, #pkts encrypt: 4333138, #pkts digest: 4333138
#pkts decaps: 3410511, #pkts decrypt: 3410511, #pkts verify: 3410511
#pkts compressed: 0, #pkts decompressed: 0
#pkts not compressed: 0, #pkts compr. failed: 0
#pkts not decompressed: 0, #pkts decompress failed: 0
#send errors 1, #recv errors 0
local crypto endpt.: 172.30.1.65, remote crypto endpt.: 172.30.10.87
path mtu 1500, media mtu 1500
current outbound spi: AA2573C
inbound esp sas:
spi: 0x919A3457(2442802263)
transform: esp-3des esp-sha-hmac ,
in use settings ={Tunnel, }
slot/subslot: 5/0, conn id: 11037, flow_id: 114, crypto map: mbank
crypto engine type: Hardware, engine_id: 2
sa timing: remaining key lifetime (k/sec): (205245/2336)
ike_cookies: A54055D1 12D8A90E 2E1AA3AE 499E095D
IV size: 8 bytes
replay detection support: Y
inbound ah sas:
inbound pcp sas:
outbound esp sas:
spi: 0xAA2573C(178411324)
transform: esp-3des esp-sha-hmac ,
in use settings ={Tunnel, }
slot/subslot: 5/0, conn id: 11038, flow_id: 115, crypto map: mbank
crypto engine type: Hardware, engine_id: 2
sa timing: remaining key lifetime (k/sec): (205249/2336)
ike_cookies: A54055D1 12D8A90E 2E1AA3AE 499E095D
IV size: 8 bytes
replay detection support: Y
outbound ah sas:
outbound pcp sas:
I have a feeling , your SPA module is working but there are some other issues causing drops. Also as per my understanding once you
have SPA module on your 7600 ...Software based encryption no more works. ( you can try with a normal ipsec with no crypto slot
commands- It doesn't work)
Can you share the output of command show crypto sessions?
Best Regrds
Nithin
On Wed, Jan 28, 2009 at 9:53 PM, Antonio Soares <amsoares@netcabo.pt> wrote:
> When IPSec VTI is enabled, the response times are very high and with
> some drops. This was not seen with the previous IOS release. So we are
> assuming that hardware encryption is not taking place. But i need some
> commands to verify what is really going on with the SPA-IPSEC.
>
> The "show crypto eli" shows me that the SPA-IPSEC is "ACTIVE".
>
> But the "show crypto engine brief" and "show crypto engine configuration"
> do not show anything related with the SPA. So i really don't know if
> the SPA is doing its job or not.
>
> So now as an workaround, we have reconfigured all tunnel interfaces as
> regular GRE tunnels.
>
> Trying to answer some offline replies i received:
>
> 1) We have "VPNs in Crypto Connect Alternative Mode (CCA)":
>
>
> http://www.cisco.com/en/US/docs/interfaces_modules/shared_port_adapter
> s/configuration/7600series/76cfvpn1.html#wp2494175
>
> 2) This configuration is supported with the hw/sw combination we have
> (12.2.33SRB2+SUP720-3B).
>
> 3) The "show module" and "show diag" outputs don't show any problems
> with the SSC-400 and SPA-IPSEC.
>
>
> Thanks.
>
> Regards,
>
> Antonio Soares, CCIE #18473 (R&S)
> amsoares@netcabo.pt
>
> -----Original Message-----
> From: Rohyans, Aaron [mailto:arohyans@dpsciences.com]
> Sent: quarta-feira, 28 de Janeiro de 2009 16:04
> To: Antonio Soares; security@groupstudy.com
> Cc: ccielab@groupstudy.com
> Subject: RE: SPA-IPSEC-2G
>
> Does the tunnel come up, but no traffic passes? There are a few
> things to
> try:
>
> 1. Disable the Crypto Accelerator and run in software mode to see if
> you can get the tunnels up and passing traffic. If yes, you may need
> to experiment with the settings on your Accelerator before re-enabling
> it (see option 2).
> 2. Try experimenting with different Phase 2 transforms. I've only
> seen an issue like this with ISRs on 12.4 using a VPN Accelerator, but
> essentially I couldn't run 3DES and had to either run AES or just DES
> before it would work - that or run in software mode.
>
> Hope this helps,
>
> Aaron T. Rohyans
> Senior Network Engineer
> CCIE #21945, CCSP, CCNA, CQS-Firewall, CQS-IDS, CQS-VPN, ISSP, CISP,
> JNCIA-ER DPSciences Corporation 7400 N. Shadeland Ave., Suite
> 245 Indianapolis, IN 46250
> Office: (317) 849-6772 x 7626
> Fax: (317) 849-7134
> arohyans@dpsciences.com
> http://www.dpsciences.com/
>
>
> -----Original Message-----
> From: nobody@groupstudy.com [mailto:nobody@groupstudy.com] On Behalf
> Of Antonio Soares
> Sent: Wednesday, January 28, 2009 7:44 AM
> To: security@groupstudy.com
> Cc: ccielab@groupstudy.com
> Subject: SPA-IPSEC-2G
>
> Hello group,
>
> Need help troubleshooting this one. One 7600 was upgraded from
> 12.2.18SXE1 to 12.2.33SRB2 and now the SPA-IPSEC-2G is not encrypting
> the traffic. In fact the module seems healthy but something is missing
> in the outputs bellow:
>
> ------------------------------------------------------------------
> 7606#show crypto eli
>
> Hardware Encryption : ACTIVE
> Number of hardware crypto engines = 1
>
> CryptoEngine SPA-IPSEC-2G[3/0] details: state = Active
> Capability :
> IPSEC: DES, 3DES, AES, RSA
>
> IKE-Session : 0 active, 16383 max, 0 failed
> DH : 0 active, 9999 max, 0 failed
> IPSec-Session : 0 active, 65534 max, 0 failed
>
> ------------------------------------------------------------------
> 7606#sh crypto en brief
>
> crypto engine name: Cisco VPN Software Implementation
> crypto engine type: software
> serial number: 00000000
> crypto engine state: installed
> crypto engine in slot: N/A
> ------------------------------------------------------------------
> 7606#sh crypto en conf
>
> crypto engine name: Cisco VPN Software Implementation
> crypto engine type: software
> serial number: xxxxxxxx
> crypto engine state: installed
> crypto engine in slot: N/A
> platform: Cisco Software Crypto Engine
>
> Crypto Adjacency Counts:
> Lock Count: 0
> Unlock Count: 0
> crypto lib version: 18.0.0
>
> 7606#
> ------------------------------------------------------------------
>
> What troubleshooting steps should i take ? The SPA is used to
> accelerate IPSec Virtual Tunnel Interfaces (IPsec VTIs). Here's the
> configuration of one tunnel interface:
>
> !
> interface Tunnelx
> ip unnumbered Loopbackx
> tunnel source x.x.x.x
> tunnel destination x.x.x.x
> tunnel mode ipsec ipv4
> tunnel protection ipsec profile CRYPTO-IPSEC-PROFILE crypto engine
> gre vpnblade crypto engine slot 3/0 inside !
>
>
> Thanks.
>
> Regards,
>
> Antonio Soares, CCIE #18473 (R&S)
> amsoares@netcabo.pt
>
>
> Blogs and organic groups at http://www.ccie.net
>
> ______________________________________________________________________
> _ Subscription information may be found at:
> http://www.groupstudy.com/list/CCIELab.html
Blogs and organic groups at http://www.ccie.net
This archive was generated by hypermail 2.1.4 : Sun Mar 01 2009 - 09:43:40 ARST