06-13-2004 11:25 PM - edited 03-09-2019 07:44 AM
I have an 837 router to which I connect using various VPN clients (including 4.x.x for Win2K, and some other Linux version). IOS is 12.3(8)T (although this issue also happened with my previous version 12.3(2)XC2)
After reloading the router, the vpn works once. I cannot connect again until I reload the router again. If I _do_ try to connect a second time without reloading, I get no response at all from the router. I verified this by sniffing; there are no packets at all from the router.
Also after attempting a second connection, the "Crypto Hardware" process on the router has very high CPU, which does not go away until I reload the router.
During a failed connection, these messages appear in the log:
%CRYPTO-3-IKE_PAK_IN_Q_TIME_LIMIT_EXCEEDED
%CRYPTO-6-IKMP_MODE_FAILURE
I can't find any help on the Cisco web site about the %CRYPTO-3 message. As for the IKMP_MODE_FAILURE, all I've got is to "contact the remote client."
I'm suspecting a hardware issue. Can anyone help here?
06-20-2004 07:14 AM
:D sory to say
but I find as below :
837: GRE IPSEC, High cpu when hardware encryption 12.3(7)T01
All affected versions
http://www.cisco.com/cgi-bin/Support/Bugtool/exists_version.pl?bugid=CSCee55674&ccoProduct=IOS
Assigned
First Fixed-in Version NONE
Release Notes Symptom: 837 having high CPU on process "Crypto Hardware",
seeing following console-failures:
00:01:31: %CRYPTO-6-IKMP_MODE_FAILURE: Processing of Main mode failed with peer at *.*.*.*
00:01:51: %CRYPTO-3-IKE_PAK_IN_Q_TIME_LIMIT_EXCEED: Pak spent too much time in the IKE input queues
00:02:32: %CRYPTO-6-IKMP_MODE_FAILURE: Processing of Main mode failed with peer at *.*.*.*
00:02:52: %CRYPTO-3-IKE_PAK_IN_Q_TIME_LIMIT_EXCEED: Pak spent too much time in the IKE input queues
00:03:55: %CRYPTO-6-IKMP_MODE_FAILURE: Processing of Main mode failed with peer at *.*.*.*
00:04:10: %SEC-6-IPACCESSLOGP: list 101 denied udp *.*.*.*(19310) -> *.*.*.*(1026), 1packet
00:04:32: %SEC-6-IPACCESSLOGP: list 101 denied tcp *.*.*.*(3209) -> *.*.*.*(2745), 1 packet
Conditions:Usign GRE - IPSEC
Workaround: disable Hardware Encryption
06-20-2004 11:29 PM
Thanks for finding this!
I have to say to Cisco: this sucks!
Oh well, I guess I just have to wait for the fix.
Discover and save your favorite ideas. Come back to expert answers, step-by-step guides, recent topics, and more.
New here? Get started with these tips. How to use Community New member guide