Buy or Renew
Buy or Renew
NOTICE: You can now engage in the community. Learn about the great new Cisco Umbrella content.
cancel
Turn on suggestions
Auto-suggest helps you quickly narrow down your search results by suggesting possible matches as you type.
Showing results for 
Search instead for 
Did you mean: 
cancel
Create a new article
2653
Views
0
Helpful
0
Comments

IPsec VPN tunnel traffic stops intermittently with 800 and 1800 series Routers

TCC_2
Level 10
Level 10

on ‎06-22-2009 04:42 PM

Core issue

This issue is due to the presence of Cisco bug ID CSCsd50841.


When 800 series routers run with CPU over 50 percent, traffic can stop after one or more IPsec rekeys. When this happens, Packets Dropped and Invalid Flow Error counters increment in the crypto accelerator statistics. Use the show crypto engine accelerator statistic command in order to view these counters.

This issue occurs on 870 routers when the IPsec flow ID value reaches 40 and on 1800 routers when the flow ID reaches 300. Most often, the main outbound Security Association (SA) does not pass traffic.

Note: This issue is first found in Cisco IOS  Software Release 12.4(6)T.

Resolution

For temporary workaround:

  • Clear the IPsec SAs. Use the clear crypto sa command in order to restart traffic or set a longer IPsec rekey interval.

For permanent workaround:

  • In order to completely resolve this issue, download the latest code. With Cisco, the number of images and releases is reduced, which makes it easier to choose the right release.

    This bug is fixed in these software releases: 
       
    • Cisco IOS Software Release 12.4(7.18)T

    • Cisco IOS Software Release 12.4(6)T01
       

Refer to the Cisco IOS Upgrade Planner for more information.

Labels:
0 Helpful
Getting Started

Find answers to your questions by entering keywords or phrases in the Search bar above. New here? Use these resources to familiarize yourself with the community:

Customers Also Viewed These Support Documents