Re: IPSEC Processing on 7200 with VAM

iftikhar.qurashi · ‎08-16-2006

I am wondering if it is possible via configurations to make sure that IPSEC processing does not off load to the main processor in the case of VAM card (Encryption Card) failure. Or if it is possible to have a secondary VAM card in the 7200 Chassis. (7206 VXR NPE400)

What I observed is; in one of the routers VAM card failed during production and after that failure router become dead slow. I think this is mainly due to the fact that IPSEC processing moved to the main CPU and caused high load on the main CPU which created a blackhole device since Routing protocols were still running fine.

Any thoughts in this regard will be apprecited.

Thanks

Iftikhar Qurashi

jackyoung · ‎08-16-2006

Below are the info.

VAM

http://cisco.com/en/US/products/sw/iosswrel/ps5012/products_feature_guide09186a00800ed371.html

VAM2

http://cisco.com/en/US/products/sw/iosswrel/ps5187/products_feature_guide09186a008020ecd7.html

I can't ensure you can force the router not to offload to the main processor during VAM failure. However, we can install two VAM in a single chassis that it may help to solve your problem. But in VAM, you need to use NPE-G1 for daul VAM. You may also consider to upgrade to two VAM2 and it does not mention to require higher NPE.

I recommend to consult w/ your Cisco reseller for the compatibility of dual VAM in your current system.

Hope this helps.

iftikhar.qurashi · ‎08-17-2006

Following command avaiable in 12.3(14)T will fix the issue;

no crypto engine software ipsec

thanks

Iftikhar

jackyoung · ‎08-17-2006

It is great that you fixed it yourself. But I believe install a secondary VAM is better in terms of performance issue.