01-17-2011 04:59 AM
Hello Community
I was to stupid to read the datasheet and just configured AES-256 on a router with a VAM2-modul. According to the datasheet the VAM2 processes AES-256 in software. Now my question: Is there any show command to check how many (crypto-) packets are processed in software on the VAM2.
If I do a "sh crypto engine accelerator statistic" which counter indicates that the AES256-packets are processed in software?
Thank you for your answers!
Marcel
01-17-2011 09:42 AM
Marcel,
I think there's a bigger misconception here.
A particular IPsec/SSL flow can be handled by crypto engine (built in, external) or under certain circumstances in software (when everything else fails, usually)
In case of IPsec you can handle which particular flow is handled by which encryption method by checking:
"show crypto ipsec sa" and checking "flow" value (might depend on version)
To see what kind of accelarator engines are available in system you can check "show crypto eli".
Marcin
01-17-2011 11:36 AM
Thank you Marcin for the reply.
Well I see that my crypto sessions are handled by the VAM2-module:
sh crypto ipsec sa detail | inc flow
conn id: 5039, flow_id: VAM2:3039, crypto map: Tunnel1-head-0
conn id: 5040, flow_id: VAM2:3040, crypto map: Tunnel1-head-0
etc.
01-17-2011 12:08 PM
Marcel,https://supportforums.cisco.com/post!reply.jspa?message=3271985
Honestly I have not seen a split in VAM2 for HSP and non-HSP flows (but I'm not dealing with crypto hardware).
Can you check "show crypto eng conf" and full output of "show crypto ipsec sa" to see what is currently being run?
Marcin
01-17-2011 11:37 PM
Hi Marcin
Here are the requested outputs:
sh crypto engine configuration
crypto engine name: Virtual Private Network (VPN) Module
crypto engine type: hardware
State: Enabled
Location: slot 1
VPN Module in slot: 1
Product Name: VAM2
Software Serial #: 55AA
Device ID: 0014 - revision 0004
Vendor ID: 0000
Revision No: 0x00140004
VSK revision: 0
Boot version: 12
DPU version: 0
HSP version: 2.3(5) (PRODUCTION)
Time running: 4w4d
Compression: Yes
DES: Yes
3 DES: Yes
AES CBC: Yes (128,192,256)
AES CNTR: No
Maximum buffer length: 4096
Maximum DH index: 5120
Maximum SA index: 5120
Maximum Flow index: 10230
Maximum RSA key size: 2048
crypto lib version: 20.0.0
crypto engine in slot: 1
platform: VPN hardware accelerator
Crypto Adjacency Counts:
Lock Count: -1622581642
Unlock Count: -1623453350
crypto lib version: 20.0.0
01-17-2011 11:55 PM
Marcel,
Well VAM2 will be end of lifed completly this year (unlike VAM2+!) and yes I guess you should run AES-128 last version to support VAM is 12.4(15)T.
What my best guess is at this part of processing is done in HSP (sort of general purpose proc CPU on card), since it's documented to do so.
Marcin
01-18-2011 12:07 AM
Allright, I think your guess is right :-)
Well it isn't really a problem, because due tho the EOL we change the NPE and VAM on the router to G2 and VAM2+... ...but I was just wondering how to check what's written in the datasheet.
Thank you for your help
Marcel
Find answers to your questions by entering keywords or phrases in the Search bar above. New here? Use these resources to familiarize yourself with the community: