cancel
Showing results for 
Search instead for 
Did you mean: 
cancel
8333
Views
10
Helpful
17
Replies

ipsec vti ipv4 over ipv6 possible ?

nvanhaute
Level 1
Level 1

hi,

I think about switching my VPN backbone ipv4 (vti) in ipv6, but behind all my peers all is in ipv4.

So I would like to start in changing only backbone and not networks behind, is it possible ?

to resume, is it possible to make that :

ipv4 network A ==> Cisco ISR (ipv4 lan inside) | (ipv6 wan outside) <======= ipv6 ipsec vpn (vti)

=======> Cisco ISR (ipv6 wan outside) | (ipv4 lan inside) ==> ipv4 network B

Thanks for your comments.

Best regards

Nicolas

1 Accepted Solution

Accepted Solutions

Nicolas,

Can you enable IPV6 unicast-routing on both sides and try again?

Cheers,

View solution in original post

17 Replies 17

on the IOS-router you need to change your tunnel mode to GRE. With that you can transport v4 over a public v6 network.

-- 
Don't stop after you've improved your network! Improve the world by lending money to the working poor:
http://www.kiva.org/invitedby/karsteni

olpeleri
Cisco Employee
Cisco Employee

Hello Nicolas,

Currently, VTI [ IPSEC mode] works only ipv4 over ipv4 / ipv6 over ipv6.

Per RFC, in ikev2, we could have an overlay dual stack [ since we can have 2 TSi -TSr] but it's not yet implemented.

A dual stack approach would consume more ressources than GRE [ which is available today].

Therefore,we recommend the use of GRE [ protecting a single TSi-TRr with a single pair SA] since this maximise the scalability per device.

GRE allows you to encapsulate anything from ipv4 to ipv6 or cdp.

I hope this helps

Olivier,

CCIE Security #20306

Hi Olivier,

Just made some tests in lab and I have no success to do it :-(

I use 881 and 1841 both in 15.1(4)M6 and they are face to face

both sides :
crypto isakmp policy 10
 encr aes 256
 hash md5
 authentication pre-share
 group 5
crypto isakmp key cisco address ipv6 ::/0
crypto isakmp keepalive 60 10
!
crypto ipsec security-association lifetime seconds 28800
!
crypto ipsec transform-set ESP-AES-256-MD5 esp-aes 256 esp-md5-hmac
 mode transport
!
crypto ipsec profile RACINE
 set transform-set ESP-AES-256-MD5
!

=> 1841

interface Tunnel0
 description vers test1
 ip unnumbered FastEthernet0/1
 ipv6 enable
 tunnel source FastEthernet0/0
 tunnel mode gre ipv6
 tunnel destination 2012::1
 tunnel path-mtu-discovery
 tunnel protection ipsec profile RACINE

 interface FastEthernet0/1
 description inside
 ip address 192.168.1.254 255.255.255.0
 ip virtual-reassembly in
  
ip route 192.168.0.0 255.255.0.0 Tunnel0

interface FastEthernet0/0
 description outside
 no ip address
 duplex auto
 speed auto
 ipv6 address 2012::2/64
 ipv6 enable

=============================================  
=> 881
 
 interface Tunnel0
 description vers test2
 ip unnumbered Vlan1
 ipv6 enable
 tunnel source FastEthernet4
 tunnel mode gre ipv6
 tunnel destination 2012::2
 tunnel path-mtu-discovery
 tunnel protection ipsec profile RACINE
 
 interface Vlan1
 description inside
 ip address 192.168.0.254 255.255.255.0
 ip virtual-reassembly in
 
 ip route 192.168.1.0 255.255.255.0 Tunnel0

 interface FastEthernet4
 description outside
 no ip address
 duplex auto
 speed auto
 ipv6 address 2012::1/64
 ipv6 enable

===========================================

but it doesn't work, it seems ISAKMP is ok but not IPSEC

=>

================================

IPv6 Crypto ISAKMP SA

  dst: 2012::2

  src: 2012::1

  conn-id: 1007  I-VRF:          Status: ACTIVE Encr: aes  Hash: md5

Auth: psk

  DH: 5  Lifetime: 23:52:06 Cap: D    Engine-id:Conn-id = SW:7

================================

interface: Tunnel0

     Crypto map tag: Tunnel0-head-0, local addr 2012::2

    protected vrf: (none)

    local  ident (addr/mask/prot/port): (2012::2/128/47/0)

    remote ident (addr/mask/prot/port): (2012::1/128/47/0)

    current_peer 2012::1 port 500

      PERMIT, flags={origin_is_acl,}

     #pkts encaps: 4, #pkts encrypt: 4, #pkts digest: 4

     #pkts decaps: 0, #pkts decrypt: 0, #pkts verify: 0

     #pkts compressed: 0, #pkts decompressed: 0

     #pkts not compressed: 0, #pkts compr. failed: 0

     #pkts not decompressed: 0, #pkts decompress failed: 0

     #pkts no sa (send) 2, #pkts invalid sa (rcv) 0

     #pkts encaps failed (send) 0, #pkts decaps failed (rcv) 0

     #pkts invalid prot (recv) 0, #pkts verify failed: 0

     #pkts invalid identity (recv) 0, #pkts invalid len (rcv) 0

     #pkts replay rollover (send): 0, #pkts replay rollover (rcv) 0

     ##pkts replay failed (rcv): 0

     #pkts internal err (send): 0, #pkts internal err (recv) 0

      local crypto endpt.: 2012::2,

      remote crypto endpt.: 2012::1

      path mtu 1500, ipv6 mtu 1500, ipv6 mtu idb FastEthernet0/0

      current outbound spi: 0x64631FC3(1684217795)

      PFS (Y/N): N, DH group: none

      inbound esp sas:

       spi: 0xE65495BB(3864303035)

         transform: esp-256-aes esp-md5-hmac ,

         in use settings ={Transport, }

         conn id: 2013, flow_id: FPGA:13, sibling_flags 80000006, crypto

map: Tunnel0-head-0

         sa timing: remaining key lifetime (k/sec): (4539633/28303)

         IV size: 16 bytes

         replay detection support: Y

         Status: ACTIVE

      inbound ah sas:

      inbound pcp sas:

      outbound esp sas:

       spi: 0x64631FC3(1684217795)

         transform: esp-256-aes esp-md5-hmac ,

         in use settings ={Transport, }

         conn id: 2014, flow_id: FPGA:14, sibling_flags 80000006, crypto

map: Tunnel0-head-0

         sa timing: remaining key lifetime (k/sec): (4539632/28303)

         IV size: 16 bytes

         replay detection support: Y

         Status: ACTIVE

      outbound ah sas:

      outbound pcp sas:

=====================================

if you have an idea ?

Regards

Nicolas

Nicolas,

I see

     #pkts encaps: 4, #pkts encrypt: 4, #pkts digest: 4

     #pkts decaps: 0, #pkts decrypt: 0, #pkts verify: 0

How does it looks like on the other side? We encaps but we dont get traffic from the remote box.

Regards.

Olivier

Oiliver,

will check that tomorrow

what about configurations, seems ok for you ?

thanks

Nicolas

Hello

No there is nothing obvious that I would spot as wrong. Let's see what you have on the other side.

As long the other side is not an ASR1000 [ which requires XE37 to support gre ipv6] , it should be ok

so on my 881 I have well encaps/decaps :

interface: Tunnel0

    Crypto map tag: Tunnel0-head-0, local addr 2012::1

   protected vrf: (none)

   local  ident (addr/mask/prot/port): (2012::1/128/47/0)

   remote ident (addr/mask/prot/port): (2012::2/128/47/0)

   current_peer 2012::2 port 500

     PERMIT, flags={origin_is_acl,}

    #pkts encaps: 16, #pkts encrypt: 16, #pkts digest: 16

    #pkts decaps: 0, #pkts decrypt: 0, #pkts verify: 0

    #pkts compressed: 0, #pkts decompressed: 0

    #pkts not compressed: 0, #pkts compr. failed: 0

    #pkts not decompressed: 0, #pkts decompress failed: 0

    #pkts no sa (send) 10, #pkts invalid sa (rcv) 0

    #pkts encaps failed (send) 0, #pkts decaps failed (rcv) 0

    #pkts invalid prot (recv) 0, #pkts verify failed: 0

    #pkts invalid identity (recv) 0, #pkts invalid len (rcv) 0

    #pkts replay rollover (send): 0, #pkts replay rollover (rcv) 0

    ##pkts replay failed (rcv): 0

    #pkts internal err (send): 0, #pkts internal err (recv) 0

     local crypto endpt.: 2012::1,

     remote crypto endpt.: 2012::2

     path mtu 1500, ipv6 mtu 1500, ipv6 mtu idb FastEthernet4

     current outbound spi: 0x4B308178(1261470072)

     PFS (Y/N): N, DH group: none

     inbound esp sas:

      spi: 0x773CB510(2000467216)

        transform: esp-256-aes esp-md5-hmac ,

        in use settings ={Transport, }

        conn id: 3, flow_id: Onboard VPN:3, sibling_flags 80000006, crypto map: Tunnel0-head-0

        sa timing: remaining key lifetime (k/sec): (4433065/28580)

        IV size: 16 bytes

        replay detection support: Y

        Status: ACTIVE

     inbound ah sas:

     inbound pcp sas:

     outbound esp sas:

      spi: 0x4B308178(1261470072)

        transform: esp-256-aes esp-md5-hmac ,

        in use settings ={Transport, }

        conn id: 4, flow_id: Onboard VPN:4, sibling_flags 80000006, crypto map: Tunnel0-head-0

        sa timing: remaining key lifetime (k/sec): (4433064/28580)

        IV size: 16 bytes

        replay detection support: Y

        Status: ACTIVE

     outbound ah sas:

     outbound pcp sas:

=============================================

see debug after a "clear crypto session" and some ping tests :

============================================

test2#cle

test2#clear cry

test2#clear crypto se

test2#clear crypto session

test2#

*Jun 12 06:26:15.223: Schedule to delete SA 32.18.0.0:500 dst 32.18.0.0:500  fvrf 0x0, ivrf 0x0 in 60 seconds

*Jun 12 06:26:15.223: IPSEC(delete_sa): deleting SA,

  (sa) sa_dest= 2012::2, sa_proto= 50,

    sa_spi= 0x4B308178(1261470072),

    sa_trans= esp-aes 256 esp-md5-hmac , sa_conn_id= 2003

    sa_lifetime(k/sec)= (4578475/28800),

  (identity) local= 2012::2:0, remote= 2012::1:0,

    local_proxy= 2012::2/128/47/0 (type=5),

    remote_proxy= 2012::1/128/47/0 (type=5)

*Jun 12 06:26:15.227: IPSEC(update_current_outbound_sa): updated peer 2012::1 current outbound sa to SPI 0

*Jun 12 06:26:15.227: IPSEC(delete_sa): deleting SA,

  (sa) sa_dest= 2012::1, sa_proto= 50,

    sa_spi= 0x773CB510(2000467216),

    sa_trans= esp-aes 256 esp-md5-hmac , sa_conn_id= 2004

    sa_lifetime(k/sec)= (4578475/28800),

  (identity) local= 2012::2:0, remote= 2012::1:0,

    local_proxy= 2012::2/128/47/0 (type=5),

    remote_proxy= 2012::1/128/47/0 (type=5)

*Jun 12 06:26:16.227: ISAKMP: set new node 25783982 to QM_IDLE

*Jun 12 06:26:16.227: ISAKMP:(1002): sending packet to 2012::1 my_port 500 peer_port 500 (R) QM_IDLE

*Jun 12 06:26:16.227: ISAKMP:(1002):Sending an IKE IPv6 Packet.

*Jun 12 06:26:16.227: ISAKMP:(1002):purging node 25783982

*Jun 12 06:26:16.227: ISAKMP:(1002):peer does not do paranoid keepalives.

*Jun 12 06:26:16.227: ISAKMP:(1002):deleting SA reason "BY user command" state (R) QM_IDLE       (peer 2012::1)

*Jun 12 06:26:16.227: ISAKMP:(1002):Input = IKE_MESG_FROM_IPSEC, IKE_PHASE2_DEL

*Jun 12 06:26:16.227: ISAKMP:(1002):Old State = IKE_P1_COMPLETE  New State = IKE_P1_COMPLETE

*Jun 12 06:26:16.227: IPSEC(key_engine): got a queue event with 1 KMI message(s)

*Jun 12 06:26:16.227: IPSec: Key engine got a KEY_MGR_CHECK_MORE_SAS message

*Jun 12 06:26:16.231: ISAKMP (1002): IPSec has no more SA's with this peer.  Won't keepalive phase 1.

*Jun 12 06:26:16.231: ISAKMP: set new node -1200329214 to QM_IDLE

*Jun 12 06:26:16.231: ISAKMP:(1002): sending packet to 2012::1 my_port 500 peer_port 500 (R) QM_IDLE

*Jun 12 06:26:16.231: ISAKMP:(1002):Sending an IKE IPv6 Packet.

*Jun 12 06:26:16.231: ISAKMP:(1002):purging node -1200329214

*Jun 12 06:26:16.231: ISAKMP:(1002):Input = IKE_MESG_INTERNAL, IKE_PHASE1_DEL

*Jun 12 06:26:16.231: ISAKMP:(1002):Old State = IKE_P1_COMPLETE  New State = IKE_DEST_SA

*Jun 12 06:26:16.231: ISAKMP:(1002):deleting SA reason "BY user command" state (R) QM_IDLE       (peer 2012::1)

*Jun 12 06:26:16.235: ISAKMP: Unlocking peer struct 0x67A9CEC8 for isadb_mark_sa_deleted(), count 0

*Jun 12 06:26:16.235: ISAKMP: Deleting peer node by peer_reap for 2012::1: 67A9CEC8

*Jun 12 06:26:16.235: ISAKMP:(1002):Input = IKE_MESG_FROM_PEER, IKE_MM_EXCH

*Jun 12 06:26:16.235: ISAKMP:(1002):Old State = IKE_DEST_SA  New State = IKE_DEST_SA

*Jun 12 06:26:16.235: IPSEC(key_engine): got a queue event with 1 KMI message(s)

*Jun 12 06:26:16.235: ISAKMP (1002): received packet from 2012::1 dport 500 sport 500 Global (R) MM_NO_STATE

test2#

*Jun 12 06:26:28.271: ISAKMP (0): received packet from 2012::1 dport 500 sport 500 Global (N) NEW SA

*Jun 12 06:26:28.271: ISAKMP: Created a peer struct for 2012::1, peer port 500

*Jun 12 06:26:28.271: ISAKMP: New peer created peer = 0x66B7E378 peer_handle = 0x80000004

*Jun 12 06:26:28.271: ISAKMP: Locking peer struct 0x66B7E378, refcount 1 for crypto_isakmp_process_block

*Jun 12 06:26:28.271: ISAKMP: local port 500, remote port 500

*Jun 12 06:26:28.271: ISAKMP: Find a dup sa in the avl tree during calling isadb_insert sa = 67FFDEC8

*Jun 12 06:26:28.271: ISAKMP:(0):Input = IKE_MESG_FROM_PEER, IKE_MM_EXCH

*Jun 12 06:26:28.271: ISAKMP:(0):Old State = IKE_READY  New State = IKE_R_MM1

*Jun 12 06:26:28.275: ISAKMP:(0): processing SA payload. message ID = 0

*Jun 12 06:26:28.275: ISAKMP:(0):found peer pre-shared key matching 2012::1

*Jun 12 06:26:28.275: ISAKMP:(0): local preshared key found

*Jun 12 06:26:28.275: ISAKMP : Scanning profiles for xauth ...

*Jun 12 06:26:28.275: ISAKMP:(0):Checking ISAKMP transform 1 against priority 10 policy

*Jun 12 06:26:28.275: ISAKMP:      encryption AES-CBC

*Jun 12 06:26:28.275: ISAKMP:      keylength of 256

*Jun 12 06:26:28.275: ISAKMP:      hash MD5

*Jun 12 06:26:28.275: ISAKMP:      default group 5

*Jun 12 06:26:28.275: ISAKMP:      auth pre-share

*Jun 12 06:26:28.275: ISAKMP:      life type in seconds

*Jun 12 06:26:28.275: ISAKMP:      life duration (VPI) of  0x0 0x1 0x51 0x80

*Jun 12 06:26:28.275: ISAKMP:(0):atts are acceptable. Next payload is 0

*Jun 12 06:26:28.275: ISAKMP:(0):Acceptable atts:actual life: 0

*Jun 12 06:26:28.275: ISAKMP:(0):Acceptable atts:life: 0

*Jun 12 06:26:28.275: ISAKMP:(0):Fill atts in sa vpi_length:4

*Jun 12 06:26:28.275: ISAKMP:(0):Fill atts in sa life_in_seconds:86400

*Jun 12 06:26:28.275: ISAKMP:(0):Returning Actual lifetime: 86400

*Jun 12 06:26:28.275: ISAKMP:(0)::Started lifetime timer: 86400.

*Jun 12 06:26:28.275: ISAKMP:(0):Input = IKE_MESG_INTERNAL, IKE_PROCESS_MAIN_MODE

*Jun 12 06:26:28.275: ISAKMP:(0):Old State = IKE_R_MM1  New State = IKE_R_MM1

*Jun 12 06:26:28.279: ISAKMP:(0): sending packet to 2012::1 my_port 500 peer_port 500 (R) MM_SA_SETUP

*Jun 12 06:26:28.279: ISAKMP:(0):Sending an IKE IPv6 Packet.

*Jun 12 06:26:28.279: ISAKMP:(0):Input = IKE_MESG_INTERNAL, IKE_PROCESS_COMPLETE

*Jun 12 06:26:28.279: ISAKMP:(0):Old State = IKE_R_MM1  New State = IKE_R_MM2

*Jun 12 06:26:28.283: ISAKMP (0): received packet from 2012::1 dport 500 sport 500 Global (R) MM_SA_SETUP

*Jun 12 06:26:28.283: ISAKMP:(0):Input = IKE_MESG_FROM_PEER, IKE_MM_EXCH

*Jun 12 06:26:28.283: ISAKMP:(0):Old State = IKE_R_MM2  New State = IKE_R_MM3

*Jun 12 06:26:28.283: ISAKMP:(0): processing KE payload. message ID = 0

*Jun 12 06:26:28.491: ISAKMP:(0): processing NONCE payload. message ID = 0

*Jun 12 06:26:28.491: ISAKMP:(0):found peer pre-shared key matching 2012::1

*Jun 12 06:26:28.491: ISAKMP:(1003): processing vendor id payload

*Jun 12 06:26:28.491: ISAKMP:(1003): vendor ID is DPD

*Jun 12 06:26:28.491: ISAKMP:(1003): processing vendor id payload

*Jun 12 06:26:28.491: ISAKMP:(1003): speaking to another IOS box!

*Jun 12 06:26:28.491: ISAKMP:(1003): processing vendor id payload

*Jun 12 06:26:28.491: ISAKMP:(1003): vendor ID seems Unity/DPD but major 52 mismatch

*Jun 12 06:26:28.491: ISAKMP:(1003): vendor ID is XAUTH

*Jun 12 06:26:28.491: ISAKMP:(1003):Input = IKE_MESG_INTERNAL, IKE_PROCESS_MAIN_MODE

*Jun 12 06:26:28.491: ISAKMP:(1003):Old State = IKE_R_MM3  New State = IKE_R_MM3

*Jun 12 06:26:28.495: ISAKMP:(1003): sending packet to 2012::1 my_port 500 peer_port 500 (R) MM_KEY_EXCH

*Jun 12 06:26:28.495: ISAKMP:(1003):Sending an IKE IPv6 Packet.

*Jun 12 06:26:28.495: ISAKMP:(1003):Input = IKE_MESG_INTERNAL, IKE_PROCESS_COMPLETE

*Jun 12 06:26:28.495: ISAKMP:(1003):Old State = IKE_R_MM3  New State = IKE_R_MM4

*Jun 12 06:26:28.579: ISAKMP (1003): received packet from 2012::1 dport 500 sport 500 Global (R) MM_KEY_EXCH

*Jun 12 06:26:28.579: ISAKMP:(1003):Input = IKE_MESG_FROM_PEER, IKE_MM_EXCH

*Jun 12 06:26:28.579: ISAKMP:(1003):Old State = IKE_R_MM4  New State = IKE_R_MM5

*Jun 12 06:26:28.583: ISAKMP:(1003): processing ID payload. message ID = 0

*Jun 12 06:26:28.583: ISAKMP (1003): ID payload

        next-payload : 8

        type         : 5

        address      : 2012::1

        protocol     : 17

        port         : 500

        length       : 24

*Jun 12 06:26:28.583: ISAKMP:(0):: peer matches *none* of the profiles

*Jun 12 06:26:28.583: ISAKMP:(1003): processing HASH payload. message ID = 0

*Jun 12 06:26:28.583: ISAKMP:received payload type 17

*Jun 12 06:26:28.583: ISAKMP:(1003): processing NOTIFY INITIAL_CONTACT protocol 1

        spi 0, message ID = 0, sa = 0x67FFDEC8

*Jun 12 06:26:28.583: ISAKMP:(1003):SA authentication status:

        authenticated

*Jun 12 06:26:28.583: ISAKMP:(1003):SA has been authenticated with 2012::1

*Jun 12 06:26:28.583: ISAKMP:(1003):SA authentication status:

        authenticated

*Jun 12 06:26:28.583: ISAKMP:(1003): Process initial contact,

bring down existing phase 1 and 2 SA's with local 2012::2 remote 2012::1 remote port 500

*Jun 12 06:26:28.583: ISAKMP: Trying to insert a peer 2012::2/2012::1/500/,  and inserted successfully 66B7E378.

*Jun 12 06:26:28.583: ISAKMP:(1003):Input = IKE_MESG_INTERNAL, IKE_PROCESS_MAIN_MODE

*Jun 12 06:26:28.583: ISAKMP:(1003):Old State = IKE_R_MM5  New State = IKE_R_MM5

*Jun 12 06:26:28.583: IPSEC(key_engine): got a queue event with 1 KMI message(s)

*Jun 12 06:26:28.587: ISAKMP:(1003):SA is doing pre-shared key authentication using id type ID_IPV6_ADDR

*Jun 12 06:26:28.587: ISAKMP (1003): ID payload

        next-payload : 8

        type         : 5

        address      : 2012::2

        protocol     : 17

        port         : 500

        length       : 24

*Jun 12 06:26:28.587: ISAKMP:(1003):Total payload length: 24

*Jun 12 06:26:28.587: ISAKMP:(1003): sending packet to 2012::1 my_port 500 peer_port 500 (R) MM_KEY_EXCH

*Jun 12 06:26:28.587: ISAKMP:(1003):Sending an IKE IPv6 Packet.

*Jun 12 06:26:28.587: ISAKMP:(1003):Input = IKE_MESG_INTERNAL, IKE_PROCESS_COMPLETE

*Jun 12 06:26:28.587: ISAKMP:(1003):Old State = IKE_R_MM5  New State = IKE_P1_COMPLETE

*Jun 12 06:26:28.587: ISAKMP:(1003):IKE_DPD is enabled, initializing timers

*Jun 12 06:26:28.587: ISAKMP:(1003):Input = IKE_MESG_INTERNAL, IKE_PHASE1_COMPLETE

*Jun 12 06:26:28.587: ISAKMP:(1003):Old State = IKE_P1_COMPLETE  New State = IKE_P1_COMPLETE

*Jun 12 06:26:28.591: ISAKMP (1003): received packet from 2012::1 dport 500 sport 500 Global (R) QM_IDLE

*Jun 12 06:26:28.591: ISAKMP: set new node -58530768 to QM_IDLE

*Jun 12 06:26:28.591: ISAKMP:(1003): processing HASH payload. message ID = 4236436528

*Jun 12 06:26:28.591: ISAKMP:(1003): processing SA payload. message ID = 4236436528

*Jun 12 06:26:28.591: ISAKMP:(1003):Checking IPSec proposal 1

*Jun 12 06:26:28.591: ISAKMP: transform 1, ESP_AES

*Jun 12 06:26:28.591: ISAKMP:   attributes in transform:

*Jun 12 06:26:28.591: ISAKMP:      encaps is 2 (Transport)

*Jun 12 06:26:28.591: ISAKMP:      SA life type in seconds

*Jun 12 06:26:28.595: ISAKMP:      SA life duration (basic) of 28800

*Jun 12 06:26:28.595: ISAKMP:      SA life type in kilobytes

*Jun 12 06:26:28.595: ISAKMP:      SA life duration (VPI) of  0x0 0x46 0x50 0x0

*Jun 12 06:26:28.595: ISAKMP:      authenticator is HMAC-MD5

*Jun 12 06:26:28.595: ISAKMP:      key length is 256

*Jun 12 06:26:28.595: ISAKMP:(1003):atts are acceptable.

*Jun 12 06:26:28.595: IPSEC(validate_proposal_request): proposal part #1

*Jun 12 06:26:28.595: IPSEC(validate_proposal_request): proposal part #1,

  (key eng. msg.) INBOUND local= 2012::2:0, remote= 2012::1:0,

    local_proxy= 2012::2/128/47/0 (type=5),

    remote_proxy= 2012::1/128/47/0 (type=5),

    protocol= ESP, transform= NONE  (Transport),

    lifedur= 0s and 0kb,

    spi= 0x0(0), conn_id= 0, keysize= 256, flags= 0x0

*Jun 12 06:26:28.595: IPSEC(ipsecv6_find_ident_map): found IPsecv6 map Tunnel0-head-0 seq_no 65537 for requested proxies.

*Jun 12 06:26:28.595: ISAKMP:(1003): processing NONCE payload. message ID = 4236436528

*Jun 12 06:26:28.595: ISAKMP:(1003): processing ID payload. message ID = 4236436528

*Jun 12 06:26:28.595: ISAKMP:(1003): processing ID payload. message ID = 4236436528

*Jun 12 06:26:28.595: ISAKMP:(1003):QM Responder gets spi

*Jun 12 06:26:28.595: ISAKMP:(1003):Node 4236436528, Input = IKE_MESG_FROM_PEER, IKE_QM_EXCH

*Jun 12 06:26:28.595: ISAKMP:(1003):Old State = IKE_QM_READY  New State = IKE_QM_SPI_STARVE

*Jun 12 06:26:28.599: ISAKMP:(1003): Creating IPSec SAs

*Jun 12 06:26:28.599:         inbound SA from 2012::1 to 2012::2 (f/i)  0/ 0

        (proxy 2012::1 to 2012::2)

*Jun 12 06:26:28.599:         has spi 0xCBF6D3FD and conn_id 0

*Jun 12 06:26:28.599:         lifetime of 28800 seconds

*Jun 12 06:26:28.599:         lifetime of 4608000 kilobytes

*Jun 12 06:26:28.599:         outbound SA from 2012::2 to 2012::1 (f/i) 0/0

        (proxy 2012::2 to 2012::1)

*Jun 12 06:26:28.599:         has spi  0x188DD965 and conn_id 0

*Jun 12 06:26:28.599:         lifetime of 28800 seconds

*Jun 12 06:26:28.599:         lifetime of 4608000 kilobytes

*Jun 12 06:26:28.599: ISAKMP:(1003): sending packet to 2012::1 my_port 500 peer_port 500 (R) QM_IDLE

*Jun 12 06:26:28.599: ISAKMP:(1003):Sending an IKE IPv6 Packet.

*Jun 12 06:26:28.599: ISAKMP:(1003):Node 4236436528, Input = IKE_MESG_INTERNAL, IKE_GOT_SPI

*Jun 12 06:26:28.599: ISAKMP:(1003):Old State = IKE_QM_SPI_STARVE  New State = IKE_QM_R_QM2

*Jun 12 06:26:28.599: IPSEC(key_engine): got a queue event with 1 KMI message(s)

*Jun 12 06:26:28.603: IPSEC(ipsecv6_find_ident_map): found IPsecv6 map Tunnel0-head-0 seq_no 65537 for requested proxies.

*Jun 12 06:26:28.603: IPSEC(crypto_ipsec_sa_find_ident_head): reconnecting with the same proxies and peer 2012::1

*Jun 12 06:26:28.603: IPSEC(create_sa): sa created,

  (sa) sa_dest= 2012::2, sa_proto= 50,

    sa_spi= 0xCBF6D3FD(3421950973),

    sa_trans= esp-aes 256 esp-md5-hmac , sa_conn_id= 2005

    sa_lifetime(k/sec)= (4572742/28800)

*Jun 12 06:26:28.603: IPSEC(create_sa): sa created,

  (sa) sa_dest= 2012::1, sa_proto= 50,

    sa_spi= 0x188DD965(411949413),

    sa_trans= esp-aes 256 esp-md5-hmac , sa_conn_id= 2006

    sa_lifetime(k/sec)= (4572742/28800)

*Jun 12 06:26:28.607: ISAKMP (1003): received packet from 2012::1 dport 500 sport 500 Global (R) QM_IDLE

*Jun 12 06:26:28.607: ISAKMP:(1003):deleting node -58530768 error FALSE reason "QM done (await)"

*Jun 12 06:26:28.607: ISAKMP:(1003):Node 4236436528, Input = IKE_MESG_FROM_PEER, IKE_QM_EXCH

*Jun 12 06:26:28.607: ISAKMP:(1003):Old State = IKE_QM_R_QM2  New State = IKE_QM_PHASE2_COMPLETE

*Jun 12 06:26:28.607: IPSEC(key_engine): got a queue event with 1 KMI message(s)

*Jun 12 06:26:28.607: IPSEC(key_engine_enable_outbound): rec'd enable notify from ISAKMP

*Jun 12 06:26:28.607: IPSEC(key_engine_enable_outbound): enable SA with spi 411949413/50

*Jun 12 06:26:28.607: IPSEC(update_current_outbound_sa): get enable SA peer 2012::1 current outbound sa to SPI 188DD965

*Jun 12 06:26:28.607: IPSEC(update_current_outbound_sa): updated peer 2012::1 current outbound sa to SPI 188DD965

*Jun 12 06:27:16.235: ISAKMP:(1002):purging SA., sa=67FFD4AC, delme=67FFD4AC

*Jun 12 06:27:18.607: ISAKMP:(1003):purging node -58530768

test2#ping 192.168.0.

*Jun 12 06:27:34.699: ISAKMP (1003): received packet from 2012::1 dport 500 sport 500 Global (R) QM_IDLE

*Jun 12 06:27:34.699: ISAKMP: set new node 982830211 to QM_IDLE

*Jun 12 06:27:34.699: ISAKMP:(1003): processing HASH payload. message ID = 982830211

*Jun 12 06:27:34.699: ISAKMP:(1003): processing NOTIFY DPD/R_U_THERE protocol 1

        spi 0, message ID = 982830211, sa = 0x67FFDEC8

*Jun 12 06:27:34.699: ISAKMP:(1003):deleting node 982830211 error FALSE reason "Informational (in) state 1"

*Jun 12 06:27:34.699: ISAKMP:(1003):Input = IKE_MESG_FROM_PEER, IKE_INFO_NOTIFY

*Jun 12 06:27:34.699: ISAKMP:(1003):Old State = IKE_P1_COMPLETE  New State = IKE_P1_COMPLETE

*Jun 12 06:27:34.699: ISAKMP:(1003):DPD/R_U_THERE received from peer 2012::1, sequence 0xB227F79

*Jun 12 06:27:34.699: ISAKMP: set new node 1210782924 to QM_IDLE

*Jun 12 06:27:34.703: ISAKMP:(1003):Sending NOTIFY DPD/R_U_THERE_ACK protocol 1

        spi 1726403296, message ID = 1210782924

*Jun 12 06:27:34.703: ISAKMP:(1003): seq. no 0xB227F79

*Jun 12 06:27:34.703: ISAKMP:(1003): sending packet to 2012::1 my_port 500 peer_port 500 (R) QM_IDLE

*Jun 12 06:27:34.703: ISAKMP:(1003):Sending an IKE IPv6 Packet.

*Jun 12 06:27:34.703: ISAKMP:(1003):purging node 1210782924

*Jun 12 06:27:34.703: ISAKMP:(1003):Input = IKE_MESG_FROM_PEER, IKE_MESG_KEEP_ALIVE1

*Jun 12 06:27:34.703: ISAKMP:(1003):Old State = IKE_P1_COMPLETE  New State = IKE_P1_COMPLETE

Type escape sequence to abort.

Sending 5, 100-byte ICMP Echos to 192.168.0.1, timeout is 2 seconds:

*Jun 12 06:27:37.875: ISAKMP: DPD received KMI message.

*Jun 12 06:27:37.875: ISAKMP: set new node 836561933 to QM_IDLE

*Jun 12 06:27:37.875: ISAKMP:(1003):Sending NOTIFY DPD/R_U_THERE protocol 1

        spi 1729152104, message ID = 836561933

*Jun 12 06:27:37.875: ISAKMP:(1003): seq. no 0x2D0964A1

*Jun 12 06:27:37.875: ISAKMP:(1003): sending packet to 2012::1 my_port 500 peer_port 500 (R) QM_IDLE

*Jun 12 06:27:37.875: ISAKMP:(1003):Sending an IKE IPv6 Packet.

*Jun 12 06:27:37.875: ISAKMP:(1003):purging node 836561933

*Jun 12 06:27:37.879: ISAKMP (1003): received packet from 2012::1 dport 500 sport 500 Global (R) QM_IDLE

*Jun 12 06:27:37.879: ISAKMP: set new node -2078384184 to QM_IDLE

*Jun 12 06:27:37.879: ISAKMP:(1003): processing HASH payload. message ID = 2216583112

*Jun 12 06:27:37.879: ISAKMP:(1003): processing NOTIFY DPD/R_U_THERE_ACK protocol 1

        spi 0, message ID = 2216583112, sa = 0x67FFDEC8

*Jun 12 06:27:37.879: ISAKMP:(1003): DPD/R_U_THERE_ACK received from peer 2012::1, sequence 0x2D0964A1

*Jun 12 06:27:37.879: ISAKMP:(1003):deleting node -2078384184 error FALSE reason "Informational (in) state 1"

*Jun 12 06:27:37.879: ISAKMP:(1003):Input = IKE_MESG_FROM_PEER, IKE_INFO_NOTIFY

*Jun 12 06:27:37.879: ISAKMP:(1003):Old State = IKE_P1_COMPLETE  New State = IKE_P1_COMPLETE

.....

Success rate is 0 percent (0/5)

test2#ping 192.168.0.1

Type escape sequence to abort.

Sending 5, 100-byte ICMP Echos to 192.168.0.1, timeout is 2 seconds:

.....

Success rate is 0 percent (0/5)

test2#

===================================================

any idea ?

Nicolas

Bonjour Nicolas,

So to summarize:

On the 1841 we  have

     #pkts encaps: 4, #pkts encrypt: 4, #pkts digest: 4

     #pkts decaps: 0, #pkts decrypt: 0, #pkts verify: 0

On the 881 we have 

    #pkts encaps: 16, #pkts encrypt: 16, #pkts digest: 16

    #pkts decaps: 0, #pkts decrypt: 0, #pkts verify: 0

meaning both sides are encapsulating traffic BUT they never receive the ESP packet from the other side.

Are we sure the ESP packets are exiting the 881 and 1841?

Are we sure the ESP packets are arriving on the 881 and 1841?

Regards,

Bonjour Olivier,

Yes I confirm, there is no ESP traffic between router

I put a sniffer between router and I can see only few ISAKMP packets, nothing more (or icmpv6...) but no ESP packets.

that's why I don't understand

Nicolas

wierd... I did a quick test on my boxes [151-4.M6]

R102#sh crypto session d

Crypto session current status

Code: C - IKE Configuration mode, D - Dead Peer Detection    

K - Keepalives, N - NAT-traversal, T - cTCP encapsulation    

X - IKE Extended Authentication, F - IKE Fragmentation

Interface: Tunnel0

Profile: test

Uptime: 00:00:29

Session status: UP-ACTIVE    

Peer: 2001:2::1 port 500 fvrf: (none) ivrf: (none)

      Phase1_id: 2001:2::1

      Desc: (none)

  IKEv1 SA: local 2001:1::1/500

          remote 2001:2::1/500 Active

          Capabilities:(none) connid:1001 lifetime:23:59:30

  IPSEC FLOW: permit 47 host 2001:1::1 host 2001:2::1

        Active SAs: 2, origin: crypto map

        Inbound:  #pkts dec'ed 11 drop 0 life (KB/Sec) 4479445/3570

        Outbound: #pkts enc'ed 17 drop 2 life (KB/Sec) 4479445/3570

The boxes are back to back? Any filters?

Do you have the same if disable the local HW accelerator and pick up show crypto eli prior disable HW accelerator [ to make sure IPV6 is listed ]

I have the same result as you (same with in disabling HW accelerator)

sh crypto eli :

hard encry active

nb of hard crypt eng : 1

crypto engin FPGA det : state = active

capability :....

ipsec session : 2 active 300 max 0 failes

:-(

Can you past both complete config ?

Nicolas,

Can you attached config + show ipv6 route + show crypto engine accell stati, from both sides?

My lab also works, software crypto.

M.

all infos asked :

on 881 :

==========================================================

test2#wr t

Building configuration...

Current configuration : 2101 bytes

!

! Last configuration change at 08:13:16 CEDT Thu Jun 13 2013

version 15.1

no service pad

service tcp-keepalives-in

service tcp-keepalives-out

service timestamps debug datetime msec

service timestamps log datetime msec

service password-encryption

!

hostname test2

!

boot-start-marker

boot system flash c1841-advipservicesk9-mz.151-4.M6.bin

boot-end-marker

!

!

enable password 7 0831424D1B4F56

!

no aaa new-model

!

clock timezone CEST 1 0

clock summer-time CEDT recurring last Sun Mar 2:00 last Sun Oct 3:00

dot11 syslog

no ip source-route

!

!

!

!

!

ip cef

no ip domain lookup

ip domain name education.gouv.fr

no ipv6 cef

!

multilink bundle-name authenticated

!

crypto pki token default removal timeout 0

!

!

!

!

license udi pid CISCO1841 sn FCZ104410AL

archive

log config

  hidekeys

username clermont privilege 15 secret 4 XS7vUdQUY/uHCN04Hsr6Kqsfh1V9l76lhnXxAliCntU

!

redundancy

!

!

!

!

crypto isakmp policy 10

encr aes 256

hash md5

authentication pre-share

group 5

crypto isakmp key cisco address ipv6 ::/0

crypto isakmp keepalive 60 10

!

crypto ipsec security-association lifetime seconds 28800

!

crypto ipsec transform-set ESP-AES-256-MD5 esp-aes 256 esp-md5-hmac

mode transport

!

crypto ipsec profile RACINE

set transform-set ESP-AES-256-MD5

!

!

!

!

!

!

interface Tunnel0

description vers test1

ip unnumbered FastEthernet0/1

ipv6 enable

tunnel source FastEthernet0/0

tunnel mode gre ipv6

tunnel destination 2012::1

tunnel protection ipsec profile RACINE

!

interface FastEthernet0/0

description outside

no ip address

duplex auto

speed auto

ipv6 address 2012::2/64

ipv6 enable

!

interface FastEthernet0/1

description inside

ip address 192.168.1.254 255.255.255.0

ip virtual-reassembly in

duplex auto

speed auto

!

ip forward-protocol nd

no ip http server

no ip http secure-server

!

!

ip route 192.168.0.0 255.255.255.0 Tunnel0

!

no cdp run

!

!

!

!

!

!

control-plane

!

!

!

line con 0

line aux 0

line vty 0 4

access-class 10 in

privilege level 15

login local

transport input ssh

transport output none

!

scheduler max-task-time 5000

scheduler allocate 20000 1000

end

test2#sh ipv6 roiu

test2#sh ipv6 ro

test2#sh ipv6 route

IPv6 Routing Table - default - 3 entries

Codes: C - Connected, L - Local, S - Static, U - Per-user Static route

       B - BGP, HA - Home Agent, MR - Mobile Router, R - RIP

       I1 - ISIS L1, I2 - ISIS L2, IA - ISIS interarea, IS - ISIS summary

       D - EIGRP, EX - EIGRP external, ND - Neighbor Discovery, l - LISP

       O - OSPF Intra, OI - OSPF Inter, OE1 - OSPF ext 1, OE2 - OSPF ext 2

       ON1 - OSPF NSSA ext 1, ON2 - OSPF NSSA ext 2

C   2012::/64 [0/0]

     via FastEthernet0/0, directly connected

L   2012::2/128 [0/0]

     via FastEthernet0/0, receive

L   FF00::/8 [0/0]

     via Null0, receive

test2#sh cry

test2#sh crypto en

test2#sh crypto eng

test2#sh crypto engine ac

test2#sh crypto engine accelerator st

test2#sh crypto engine accelerator statistic

Device:   FPGA

Location: Onboard: 0

        :Statistics for encryption device since the last clear

         of counters 81146 seconds ago

                     18 packets in                          18 packets out

                   2472 bytes in                          3288 bytes out

                      0 paks/sec in                          0 paks/sec out

                      0 Kbits/sec in                         0 Kbits/sec out

                      0 packets decrypted                   18 packets encrypted

                      0 bytes before decrypt              2472 bytes encrypted

                      0 bytes decrypted                   3288 bytes after encrypt

                      0 packets decompressed                 0 packets compressed

                      0 bytes before decomp                  0 bytes before comp

                      0 bytes after decomp                   0 bytes after comp

                      0 packets bypass decompr               0 packets bypass compres

                      0 bytes bypass decompres               0 bytes bypass compressi

                      0 packets not decompress               0 packets not compressed

                      0 bytes not decompressed               0 bytes not compressed

                  1.0:1 compression ratio                1.0:1 overall

                Last 5 minutes:

                      0 packets in                           0 packets out

                      0 paks/sec in                          0 paks/sec out

                      0 bits/sec in                          0 bits/sec out

                      0 bytes decrypted                      0 bytes encrypted

                      0 Kbits/sec decrypted                  0 Kbits/sec encrypted

                  1.0:1 compression ratio                1.0:1 overall

FPGA:

        ds: 0x675AEB10        idb:0x67AF66F0

        Statistics for Virtual Private Network (VPN) Module:

                18 packets in                        18 packets out

                 0 paks/sec in                        0 paks/sec out

                 0 Kbits/sec in                       0 Kbits/sec out

                 0 packets decrypted                 18 packets encrypted

        packet overruns:   0  output packets dropped:   0

        tx_hi_drops:       0  fw_failure:    0

        invalid_sa:     0   invalid_flow:    0

        null_ip_error:  0   pad_size_error:  0     out_bound_dh_acc:  0

        esp_auth_fail:  0   ah_auth_failure: 0     crypto_pad_error:  0

        ah_prot_absent: 0   ah_seq_failure:  0     ah_spi_failure:    0

        esp_prot_absent:0   esp_seq_fail:    0     esp_spi_failure:   0

        obound_sa_acc:  0   invalid_sa:      0     out_bound_sa_flow: 0

        invalid_dh:     0   bad_keygroup:    0     out_of_memory:     0

        no_sh_secret:   0   no_skeys:        0     invalid_cmd:       0

        pak_too_big:       0

        tx_lo_queue_size_max 0  cmd_unimplemented: 0

        flow_cfg_mismatch    0  flow_ip_add_mismatch: 0

        unknown_protocol     0  bad_particle_align: 0

        81146 seconds since last clear of counters

        Interrupts: Notify = 18

test2#

========================================================================

on 1841 :

========================================================================

test1#wr t

Building configuration...

Current configuration : 2117 bytes

!

! Last configuration change at 08:19:00 CEDT Thu Jun 13 2013

version 15.1

no service pad

service tcp-keepalives-in

service tcp-keepalives-out

service timestamps debug datetime msec

service timestamps log datetime msec

service password-encryption

!

hostname test1

!

boot-start-marker

boot-end-marker

!

!

enable password 7 0831424D1B4F56

!

no aaa new-model

!

memory-size iomem 10

clock timezone CEST 1 0

clock summer-time CEDT recurring last Sun Mar 2:00 last Sun Oct 3:00

crypto pki token default removal timeout 0

!

!

no ip source-route

!

!

!

!

!

ip cef

no ip domain lookup

ip domain name education.gouv.fr

no ipv6 cef

!

!

multilink bundle-name authenticated

license udi pid CISCO881-SEC-K9 sn FCZ17159431

!

!

username clermont privilege 15 secret 4 XS7vUdQUY/uHCN04Hsr6Kqsfh1V9l76lhnXxAliCntU

!

!

!

!

!

!

crypto isakmp policy 10

encr aes 256

hash md5

authentication pre-share

group 5

crypto isakmp key cisco address ipv6 ::/0

crypto isakmp keepalive 60 10

!

crypto ipsec security-association lifetime seconds 28800

!

crypto ipsec transform-set ESP-AES-256-MD5 esp-aes 256 esp-md5-hmac

mode transport

!

crypto ipsec profile RACINE

set transform-set ESP-AES-256-MD5

!

!

!

!

!

!

interface Tunnel0

description vers test2

ip unnumbered Vlan1

ipv6 enable

tunnel source FastEthernet4

tunnel mode gre ipv6

tunnel destination 2012::2

tunnel protection ipsec profile RACINE

!

interface FastEthernet0

no ip address

!

interface FastEthernet1

no ip address

!

interface FastEthernet2

no ip address

!

interface FastEthernet3

no ip address

!

interface FastEthernet4

description outside

no ip address

duplex auto

speed auto

ipv6 address 2012::1/64

ipv6 enable

!

interface Vlan1

description inside

ip address 192.168.0.254 255.255.255.0

ip virtual-reassembly in

!

ip forward-protocol nd

no ip http server

no ip http secure-server

!

!

ip route 192.168.1.0 255.255.255.0 Tunnel0

!

no cdp run

!

!

!

!

!

control-plane

!

!

line con 0

no modem enable

line aux 0

line vty 0 4

access-class 10 in

privilege level 15

login local

transport input ssh

transport output none

!

scheduler max-task-time 5000

end

test1#show ipv

test1#show ipv6 route

IPv6 Routing Table - default - 3 entries

Codes: C - Connected, L - Local, S - Static, U - Per-user Static route

       B - BGP, HA - Home Agent, MR - Mobile Router, R - RIP

       D - EIGRP, EX - EIGRP external, ND - Neighbor Discovery, l - LISP

       O - OSPF Intra, OI - OSPF Inter, OE1 - OSPF ext 1, OE2 - OSPF ext 2

       ON1 - OSPF NSSA ext 1, ON2 - OSPF NSSA ext 2

C   2012::/64 [0/0]

     via FastEthernet4, directly connected

L   2012::1/128 [0/0]

     via FastEthernet4, receive

L   FF00::/8 [0/0]

     via Null0, receive

test1#

test1#sh cry

test1#sh crypto en

test1#sh crypto eng

test1#sh crypto engine ac

test1#sh crypto engine accelerator st

test1#sh crypto engine accelerator statistic

Device:   Onboard VPN

Location: Onboard: 0

        :Statistics for encryption device since the last clear

         of counters 81565 seconds ago

                    239 packets in                         239 packets out

                  24856 bytes in                         37284 bytes out

                      0 paks/sec in                          0 paks/sec out

                      0 Kbits/sec in                         0 Kbits/sec out

                      0 packets decrypted                  239 packets encrypted

                      0 bytes before decrypt             24856 bytes encrypted

                      0 bytes decrypted                  37284 bytes after encrypt

                      0 packets decompressed                 0 packets compressed

                      0 bytes before decomp                  0 bytes before comp

                      0 bytes after decomp                   0 bytes after comp

                      0 packets bypass decompr               0 packets bypass compres

                      0 bytes bypass decompres               0 bytes bypass compressi

                      0 packets not decompress               0 packets not compressed

                      0 bytes not decompressed               0 bytes not compressed

                  1.0:1 compression ratio                1.0:1 overall

                Last 5 minutes:

                     26 packets in                          26 packets out

                      0 paks/sec in                          0 paks/sec out

                     73 bits/sec in                        109 bits/sec out

                      0 bytes decrypted                   2704 bytes encrypted

                      0 Kbits/sec decrypted                 73 Kbits/sec encrypted

                  1.0:1 compression ratio                1.0:1 overall

Errors:

Total Number of Packet Drops = 0

Pad Error                    = 0

Data Error                   = 0

Packet Error                 = 0

Null IP Error                = 0

Hardware Error               = 0

CP Unavailable               = 0

HP Unavailable               = 0

AH Seq Failure               = 0

Link Down Error              = 0

ESP Seq Failure              = 0

AH Auth Failure              = 0

ESP Auth Failure             = 0

Queue Full Error             = 0

API Request Error            = 0

Invalid Flow Error           = 0

Buffer Unavailable           = 0

QOS Queue Full Error         = 0

Packet too Big Error         = 0

AH Replay Check Failure      = 0

Too Many Particles Error     = 0

ESP Replay Check Failure     = 0

Input Queue Full Error       = 0

Output Queue Full Error      = 0

Pre-batch Queue Full Error   = 0

Post-batch Queue Full Error  = 0

BATCHING Statistics:

Batching Allowed

Batching currently Inactive

No of times batching turned on        = 0

No of times batching turned off       = 0

No of Flush Done                      = 0

Flush Timer in Milli Seconds          = 8

Disable Timer in Seconds              = 20

Threshold Crypto Paks/Sec

  to enable batching                  = 2000

PRE-BATCHING Enabled

Pre-batch count, max_count            = 0, 16

Packets queued to pre-batch queue     = 0

Packets flushed from pre-batch queue  = 0

The Pre-batch Queue Information

The Queuesize is                      = 128

The no entries currently being used   = 0

The Read Index is                     = 0

The Write Index is                    = 0

The entries in use are between Read and Write Index

The entries in use are

POST-BATCHING Enabled

Post-batch count, max_count           = 0, 16

Packets queued to post-batch queue    = 0

Packets flushed from post-batch queue = 0

The Post-batch Queue Information

The Queuesize is                      = 128

The no entries currently being used   = 0

The Read Index is                     = 0

The Write Index is                    = 0

The entries in use are between Read and Write Index

The entries in use are

test1#

=======================================================

regards

Nicolas

Getting Started

Find answers to your questions by entering keywords or phrases in the Search bar above. New here? Use these resources to familiarize yourself with the community: