Buy or Renew
Buy or Renew
Duo Security forums now LIVE! Get answers to all your Duo Security questions. Learn more
cancel
Turn on suggestions
Auto-suggest helps you quickly narrow down your search results by suggesting possible matches as you type.
Showing results for 
Search instead for 
Did you mean: 
cancel
Start a conversation
4078
Views
5
Helpful
2
Replies

High "crypto hardware" CPU on 837

slaterc
Level 1
Level 1

‎06-13-2004 11:25 PM - edited ‎03-09-2019 07:44 AM

I have an 837 router to which I connect using various VPN clients (including 4.x.x for Win2K, and some other Linux version). IOS is 12.3(8)T (although this issue also happened with my previous version 12.3(2)XC2)

After reloading the router, the vpn works once. I cannot connect again until I reload the router again. If I _do_ try to connect a second time without reloading, I get no response at all from the router. I verified this by sniffing; there are no packets at all from the router.

Also after attempting a second connection, the "Crypto Hardware" process on the router has very high CPU, which does not go away until I reload the router.

During a failed connection, these messages appear in the log:

%CRYPTO-3-IKE_PAK_IN_Q_TIME_LIMIT_EXCEEDED

%CRYPTO-6-IKMP_MODE_FAILURE

I can't find any help on the Cisco web site about the %CRYPTO-3 message. As for the IKMP_MODE_FAILURE, all I've got is to "contact the remote client."

I'm suspecting a hardware issue. Can anyone help here?

Labels:
0 Helpful
2 Replies 2

S_Andrzej_2
Level 1
Level 1

‎06-20-2004 07:14 AM

:D sory to say

but I find as below :

CSCee55674 http://www.cisco.com/cgi-bin/Support/Bugtool/onebug.pl?bugid=CSCee55674&cco_product=IOS&fset=&swver=&keyw=837&target=&train=

837: GRE IPSEC, High cpu when hardware encryption 12.3(7)T01

All affected versions

http://www.cisco.com/cgi-bin/Support/Bugtool/exists_version.pl?bugid=CSCee55674&ccoProduct=IOS

Assigned

First Fixed-in Version NONE

Release Notes Symptom: 837 having high CPU on process "Crypto Hardware",

seeing following console-failures:

00:01:31: %CRYPTO-6-IKMP_MODE_FAILURE: Processing of Main mode failed with peer at *.*.*.*

00:01:51: %CRYPTO-3-IKE_PAK_IN_Q_TIME_LIMIT_EXCEED: Pak spent too much time in the IKE input queues

00:02:32: %CRYPTO-6-IKMP_MODE_FAILURE: Processing of Main mode failed with peer at *.*.*.*

00:02:52: %CRYPTO-3-IKE_PAK_IN_Q_TIME_LIMIT_EXCEED: Pak spent too much time in the IKE input queues

00:03:55: %CRYPTO-6-IKMP_MODE_FAILURE: Processing of Main mode failed with peer at *.*.*.*

00:04:10: %SEC-6-IPACCESSLOGP: list 101 denied udp *.*.*.*(19310) -> *.*.*.*(1026), 1packet

00:04:32: %SEC-6-IPACCESSLOGP: list 101 denied tcp *.*.*.*(3209) -> *.*.*.*(2745), 1 packet

Conditions:Usign GRE - IPSEC

Workaround: disable Hardware Encryption

slaterc
Level 1
Level 1
In response to S_Andrzej_2

‎06-20-2004 11:29 PM

Thanks for finding this!

I have to say to Cisco: this sucks!

Oh well, I guess I just have to wait for the fix.

0 Helpful
Customers Also Viewed These Support Documents