This issue is documented in Cisco bug ID CSCsc44772.
A Cisco 1700 with a VPN module (MOD1700-VPN) faces problems in a specific Dynamic Multipoint VPN (DMVPN) environment. At a certain point, the hardware module becomes stuck. This problem occurs in Cisco IOS Software Releases 12.4(5.5)T and 12.4(5).
Software encryption does not have any problems.
After a reboot (with hardware encryption enabled), the Enhanced Interior Gateway Routing Protocol (EIGRP) neighborships come up fine for a short while. After a certain time (within a minute), the 1721 stops forwarding traffic. The encaps/decaps counters of the IPsec tunnel no longer increment in the show crypto ipsec sa command, and the EIGRP tunnels go down.
If hardware encryption is then disabled, all works fine.
If hardware encryption is re-enabled, error messages such as these are received:
Router(config)#crypto engine accelerator ...switching to HW crypto engine kthulu(config)# Nov 9 09:57:13.429: %VPN_HW-6-INFO_LOC: Crypto engine: em 3 State changed to: Enabled Nov 9 09:57:13.457: %C1700_EM-1-ERROR: control error: unknown error 0x1048 Nov 9 09:57:13.457: IPSECcard: an error coming back 0x1048 Nov 9 09:57:13.481: IPSECcard: an error coming back 0x1048 Nov 9 09:57:13.485: IPSECcard: an error coming back 0x1048 ... Nov 9 09:57:14.457: %C1700_EM-1-ERROR: control error: unknown error 0x1048
For a workaround, enable software encryption by issuing the no crypto engine accelerator command.
This issue is fixed in Cisco IOS Software Releases 12.4(5.13), 12.4(05a), and 12.4(5.13)T. An upgrade is also suggested.
a simple question: to migrate an ASA firewall to a Firepower 1120 Threat Defense can I use the automated tool provided by Cisco? I understand that it only works with a Firepower Management Center while our solution is a local managed and we do not intend ...
Hi, Apology for my queries, just want to confirm. We have 2 units of N9K swtich and we were only given 1 PAK number. When we tried to register this PAK number to the 1st unit we got the information below:Can we still use the same PAK number for the 2...
Hi AllI have just ONE Ldap authenticantion in connection do VPN AnyConnectionSo Tried to find some option to use 2 Two LDAP (HA) just in case one fail I have secondary.I didn't find option secondary tunnel-group TUNNEL_VPN general-attributesadd...