Buy or Renew
Buy or Renew
cancel
Turn on suggestions
Auto-suggest helps you quickly narrow down your search results by suggesting possible matches as you type.
Showing results for 
Search instead for 
Did you mean: 
cancel
Start a conversation
4201
Views
0
Helpful
3
Replies

ARE USING CRYPTO MODULE, OR ON-BOARD MODULE?

Juan Carlos Beltran Contreras
Level 1
Level 1

‎01-28-2011 09:20 AM

Hi everyone.

I have a 3845 cisco router using crypto maps to establish crypto sessions with almost one hundred routers, the last 2 days the crypto sesssions are falling down and the process cpu increase, the error messagess is this one:

100                                                  **        
90                                                 ##*        
80                                                 ##*        
70                                                 ###        
60                                                 ### *      
50                                                 ###**      
40  *** ***   * #***  * #*****  *   ***            ######***#*#
30 ############################################****############
20 ############################################################
10 ############################################################
   0....5....1....1....2....2....3....3....4....4....5....5....
             0    5    0    5    0    5    0    5    0    5  

*Jan 27 10:46:21: %CRYPTO-3-IKE_PAK_IN_Q_TIME_LIMIT_EXCEED: Pak spent too much time in the IKE input queues

XXXX#sh clock
*11:37:48.378 COL Thu Jan 27 2011

    3434444464333433333333333333333333333333222999944433343333
    9181541171976179454336561454566736492183621997702276529879
100                                            *##*            
90                                            *##*            
80                                            *###            
70         *                                  *###            
60         *                                  *###            
50     *   *                                  *###            
40 *#########*****# *   ***  * **** * *  *    #######***##**###
30 ########################################*  #################
20 ############################################################
10 ############################################################
   0....5....1....1....2....2....3....3....4....4....5....5....
             0    5    0    5    0    5    0    5    0    5   
               CPU% per minute (last 60 minutes)


*Jan 28 10:59:36: %CRYPTO-3-IKE_PAK_IN_Q_TIME_LIMIT_EXCEED: Pak spent too much time in the IKE input queues

XXX#sh clock
*11:45:09.299 COL Fri Jan 28 2011

I look at cisco web and the explanation is this one:

If the IKE process is under heavy load, incoming IKE packets may spend too much time in the IKE input queue which will result in the generation of a error level (severity 3) Syslog message. The Syslog message is %CRYPTO-3-IKE_PAK_IN_Q_TIME_LIMIT_EXCEED.

The router uses VPN module, I dont know if are really using the vpn module, How Can i look It?

How Can I fix it my problem?

Cisco IOS:flash:c3845-advipservicesk9-mz.124-9.T7.bin

1 person had this problem
Labels:
0 Helpful
3 Replies 3

Yudong Wu
Level 7
Level 7

‎01-28-2011 09:58 AM

"show crypto eli" should tell you if it is using VPN module.

When you saw the high cpu, did you check "show process cpu sort" to see which process was causing high cpu?

0 Helpful

Maxim Zimovets
Level 1
Level 1
In response to Yudong Wu

‎01-28-2011 10:13 AM

Hi!

Unfortunately "show crypto eli" will not give you a lot of information about vpn module type (f.e.):

#show crypto eli
Hardware Encryption Layer :   ACTIVE
Number of crypto engines = 1 .

CryptoEngine-0 (slot-0) details.
Capability-IPSec : IPPCP, 3DES, AES, RSA

IKE-Session   :    23 active,  2000 max, 0 failed
DH-Key        :     0 active,  2000 max, 0 failed
IPSec-Session :    46 active,  4000 max, 0 failed

IMHO, "show crypto engine configuration" will give more information (f.e.):

#show crypto engine configuration


        crypto engine name:  Virtual Private Network (VPN) Module
        crypto engine type:  hardware
                     State:  Enabled
                  Location:  aim 0
        VPN Module in slot:  0
              Product Name:  AIM-VPN/EPII-PLUS

                 ^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^

Last output more informational.

With best regards.

0 Helpful

johnnylingo
Level 5
Level 5

‎08-07-2017 06:07 PM

Just got this message for the first time on a 2921 with ISM-VPN-29 module, which was active.  The tunnels combine for only 50 Mbps throughput but 60k pps which I'm suspecting is the problem.

Router#show crypto engine brief 
        crypto engine name:  Virtual Private Network (VPN) Module
        crypto engine type:  hardware
                     State:  Disabled
                  Location:  onboard 0
              Product Name:  Onboard-VPN

        crypto engine name:  Virtual Private Network (VPN) Module
        crypto engine type:  hardware
                     State:  Enabled
                  Location:  slot 0
          Product Name:  ISM VPN Accelerator

        crypto engine name:  Cisco VPN Software Implementation
        crypto engine type:  software
             serial number:  214CE12A
       crypto engine state:  installed
     crypto engine in slot:  N/A
0 Helpful
Customers Also Viewed These Support Documents