Core issue

This issue is documented in Cisco bug ID CSCsc44772.

A Cisco 1700 with a VPN module (MOD1700-VPN) faces problems in a specific Dynamic Multipoint VPN (DMVPN)  environment. At a certain point, the hardware module becomes stuck. This problem occurs in Cisco IOS Software Releases 12.4(5.5)T and 12.4(5).

Software encryption does not have any problems.

After a reboot (with hardware encryption enabled), the Enhanced Interior Gateway Routing Protocol (EIGRP) neighborships come up fine for a short while. After a certain time (within a minute), the 1721 stops forwarding traffic. The encaps/decaps counters of the IPsec tunnel no longer increment in the show crypto ipsec sa command, and the EIGRP tunnels go down.

If hardware encryption is then disabled, all works fine.

If hardware encryption is re-enabled, error messages such as these are received:

Router(config)#crypto engine accelerator
...switching to HW crypto engine
kthulu(config)#
Nov  9 09:57:13.429: %VPN_HW-6-INFO_LOC: Crypto engine: em 3  State changed to: Enabled
Nov  9 09:57:13.457: %C1700_EM-1-ERROR: control error: unknown error 0x1048
Nov  9 09:57:13.457: IPSECcard: an error coming back 0x1048
Nov  9 09:57:13.481: IPSECcard: an error coming back 0x1048
Nov  9 09:57:13.485: IPSECcard: an error coming back 0x1048
...
Nov  9 09:57:14.457: %C1700_EM-1-ERROR: control error: unknown error 0x1048

Resolution

For a workaround, enable software encryption by issuing the no crypto engine accelerator command.

This issue is fixed in Cisco IOS Software Releases 12.4(5.13), 12.4(05a), and 12.4(5.13)T. An upgrade is also suggested.