Hi,

If you are running 12.4T IOS, then you could try the command "show crypto eli detail" to see the software crypto engine limit. With the software crypto engine, other than these hard coded SA limits, the CPU be another significant resource limitation when scaling IPSec. Hope this helps.

Thanks,

Wen

sh crypto eli detail results that there is no hardware vpn module present

Hardware Encryption : INACTIVE

Number of hardware crypto engines = 0

At present 100 tunnels are running ans it is not establishing more tunnels.

wt is the default number of tunnels for this 3660 Rou.

Regards

SK

Hi,

Could you provide the complete "show version" and "show crypto eli detail" output? The default software crypto engine limit should be 100 IKE SA, 1000 IPSec SA, and 50 DH.

Thanks,

Wen

show version

Cisco IOS Software, 3600 Software (C3660-JK9O3S-M), Version 12.4(15)T5, RELEASE SOFTWARE (fc4)
Technical Support: http://www.cisco.com/techsupport
Copyright (c) 1986-2008 by Cisco Systems, Inc.
Compiled Wed 30-Apr-08 17:50 by prod_rel_team

ROM: System Bootstrap, Version 12.0(6r)T, RELEASE SOFTWARE (fc1)

Skyband-DLL-KBW uptime is 21 weeks, 3 hours, 1 minute
System returned to ROM by power-on
System restarted at 12:00:43 UTC Wed May 26 2010
System image file is "flash:c3660-jk9o3s-mz.124-15.T5.bin"


This product contains cryptographic features and is subject to United
States and local country laws governing import, export, transfer and
use. Delivery of Cisco cryptographic products does not imply
third-party authority to import, export, distribute or use encryption.
Importers, exporters, distributors and users are responsible for
compliance with U.S. and local country laws. By using this product you
agree to comply with applicable laws and regulations. If you are unable
to comply with U.S. and local laws, return this product immediately.

A summary of U.S. laws governing Cisco cryptographic products may be found at:
http://www.cisco.com/wwl/export/crypto/tool/stqrg.html

If you require further assistance please contact us by sending email to
export@cisco.com.

Cisco 3660 (R527x) processor (revision 1.0) with 251904K/10240K bytes of memory.
Processor board ID JAB0412885A
R527x CPU at 225MHz, Implementation 40, Rev 10.0, 2048KB L2 Cache


3660 Chassis type: ENTERPRISE
2 FastEthernet interfaces
DRAM configuration is 64 bits wide with parity disabled.
125K bytes of NVRAM.
65536K bytes of processor board System flash (Read/Write)

Configuration register is 0x2102

it is not showing "show crypto eli detail" is not any command.

It is considering only "show crypto eli " and whose 2 lines output I already posted in last post.

BR.

SK

Hi:

"show crypto eli detail" is a hidden command on the version you have, you should be able to enter it even though it's not shown in the parser. Please give it a try.

Thanks,

Wen

Thnx Wen I didnt know that we have some hidden commands too

Tried this one  and here is output

Hardware Encryption : INACTIVE

Number of crypto engines = 2

CryptoEngine SRTP SW details: state = Active

Capability      :

CryptoEngine Software Crypto Engine details: state = Active

Capability      : IPPCP, DES, 3DES, AES, SEAL, RSA, IPv6, GDOI

IKE-Session   :    99 active,   100 max, 49654 failed

IKEv2-Session :    99 active,   100 max, 49654 failed

DH            :     2 active,    50 max, 0 failed

IPSec-Session :   194 active,  1000 max, 0 failed

0595: A IPSec (Decrypting)

   SW replay check

0596: A IPSec (Encrypting)

0597: A IPSec (Decrypting)

   SW replay check

0598: A IPSec (Encrypting)

0599: A IPSec (Decrypting)

   SW replay check

0600: A IPSec (Encrypting)

.

.

.

.

.and so on.

As per above statistics we can have only 100 IKE sessions?

and could u pls tell me how 2 DH active? what it means

BR

SK

Thanx Wen for ur kind help on this..

we are planning to upgrade the router with AIM-VPN module soon..

thnx all for responding to query

Rgds

SK