crypto errors

cgravell · ‎05-28-2004

Hi,

I'm running an IP VPN over a frame-relay cloud using triple DES. There are 6 sites in a hub and spoke topology. We are running VoIP between the sites, setting precedence. The calls are ok but we are seeing some dropped packets for each call. One the Hub site, we have a 2600XM with the new AES accelerator modules running code:

c2600-ik9o3s-mz.123-8.4a.bin

but am getting errors:

sh cry eng acc st:

Errors:

ppq full errors : 0 ppq rx errors : 2366

cmdq full errors : 0 cmdq rx errors : 1

no buffer : 0 replay errors : 104645

dest overflow : 0 authentication errors : 1361

Other error : 1 RNG self test fail : 0

DF Bit set : 0 Hash Miscompare : 0

Unwrappable object : 0 Missing attribute : 0

Invalid attrribute value: 0 Bad Attribute : 0

Verification Fail : 0 Decrypt Failure : 0

Invalid Packet : 2366 Invalid Key : 0

Input Overrun : 0 Input Underrun : 0

Output buffer overrun : 0 Bad handle value : 0

Invalid parameter : 0 Bad function code : 0

Out of handles : 0 Access denied : 0

Warnings:

sessions_expired : 0 packets_fragmented : 0

general: : 0

HSP details:

hsp_operations : 0 hsp_sessions : 0

I'm going to change from this release to code c2600-ik9o3s-mz.123-9.bin which is a non-engineering release now available.

Can any one shed any light on the nature of these errors? I think the replay errors relate to packets not received within an expected arrival time window are dropped by IPSEC. The counters are for about a 10 day period.

Any ideas?

a-vazquez · ‎06-03-2004

Did you check the bug tool kit for any known issues for this IOS version??

cgravell · ‎06-03-2004

Hi,

I upgraded and now only get replay errors on the hub site with no errors on any of the crypto engines at the spokes.

I'm not seeing any drops pkts in = pkts out, but i thought that replay errors necessarily resulted in drops by their nature?

#sh cry eng acc st

Virtual Private Network (VPN) Module in slot : 0

Statistics for Hardware VPN Module since the last clear

of counters 5526 seconds ago

5896963 packets in 5896963 packets out

1737792329 bytes in 1709479514 bytes out

1067 paks/sec in 1067 paks/sec out

2515 Kbits/sec in 2474 Kbits/sec out

2544370 packets decrypted 3352612 packets encrypted

488003464 bytes before decrypt 1221481326 bytes encrypted

401024765 bytes decrypted 1336774632 bytes after encrypt

0 packets decompressed 0 packets compressed

0 bytes before decomp 0 bytes before comp

0 bytes after decomp 0 bytes after comp

0 packets bypass decompr 0 packets bypass compres

0 bytes bypass decompres 0 bytes bypass compressi

0 packets not decompress 0 packets not compressed

0 bytes not decompressed 0 bytes not compressed

1.0:1 compression ratio 1.0:1 overall

208 commands out 208 commands acknowledged

Last 5 minutes:

309189 packets in 309189 packets out

1030 paks/sec in 1030 paks/sec out

2466611 bits/sec in 2430779 bits/sec out

62371647 bytes decrypted 22885872 bytes encrypted

1685720 Kbits/sec decrypted 618537 Kbits/sec encrypted

1.0:1 compression ratio 1.0:1 overall

Errors:

ppq full errors : 0 ppq rx errors : 0

cmdq full errors : 0 cmdq rx errors : 0

no buffer : 0 replay errors : 1920

dest overflow : 0 authentication errors : 0

Other error : 0 RNG self test fail : 0