Buy or Renew
Buy or Renew
cancel
Turn on suggestions
Auto-suggest helps you quickly narrow down your search results by suggesting possible matches as you type.
Showing results for 
Search instead for 
Did you mean: 
cancel
Start a conversation
1517
Views
0
Helpful
3
Replies

Upgrade to WS-IPSEC-3 from WS-SVC-IPSEC-1 troubleshooting

davidmv13
Level 1
Level 1

‎11-08-2010 10:22 AM - edited ‎02-21-2020 04:57 PM

I upgraded from a WS-SVC-IPSEC-1 to a WS-IPSEC-3 residing on a WS-SSC-600 in a 6506.  I am not seeing any issues with the traffic accept it appears that all the IPSEC sessions are now in software instead of hardware.   The odd thing is there is no degradation to the service like you would expect in this scenario.  I am thinking that the new module just appears as software.  Is that correct?  I get the following output from the respective commands

#sho module 3

Mod Ports Card Type                              Model              Serial No.

--- ----- -------------------------------------- ------------------ -----------

  3    0  2-subslot Services SPA Carrier-600     WS-SSC-600         SAL1308K19Z

Mod MAC addresses                       Hw    Fw           Sw           Status

--- ---------------------------------- ------ ------------ ------------ -------

  3  0021.a0b8.29b8 to 0021.a0b8.29bf   1.0   12.2(33)SXI4 12.2(33)SXI4 Ok

Mod  Sub-Module                  Model              Serial       Hw     Status

---- --------------------------- ------------------ ----------- ------- -------

3/0 IPSec Accelerator 3         WS-IPSEC-3         SAL1250CUW2  1.0    Ok

Mod  Online Diag Status

---- -------------------

  3  Pass

3/0 Pass

****************************************

#sho crypto eli

Hardware Encryption : ACTIVE

Number of hardware crypto engines = 1

CryptoEngine WS-IPSEC-3[3/0] details: state = Active

Capability      :

     IPSEC: DES, 3DES, AES, RSA, IPv6

IKE-Session   :    40 active, 16383 max, 0 failed

DH            :     0 active,  9999 max, 0 failed

IPSec-Session :    84 active, 65534 max, 0 failed

****************************************

#sho crypto engine configuration

        crypto engine name:  Cisco VPN Software Implementation

        crypto engine type:  software

             serial number:  00002371

       crypto engine state:  installed

     crypto engine in slot:  N/A

                  platform:  Cisco Software Crypto Engine

   Crypto Adjacency Counts:

                Lock Count:  0

              Unlock Count:  0

        crypto lib version:  18.0.0

****************************************

#sho crypto engine accelerator statistic slot 3/0 detail

VPN module in slot 3/0:

Decryption Side Data Path Statistics

====================================

Packets RX...............: 2099066330

Packets TX...............: 2098739943

IPSec Transport Mode.....: 2085397540

IPSec Tunnel Mode........: 0

AH Packets...............: 0

ESP Packets..............: 2085397540

GRE Decapsulations.......: 0

NAT-T Decapsulations.....: 0

Clear....................: 1

Packets Drop.............: 326387

Authentication Errors....: 0

Decryption Errors........: 0

Replay Check Failed......: 0

Policy Check Failed......: 0

GRE Errors...............: 0

SPD Errors...............: 13342403

HA Standby Drop..........: 0

Hard Life Drop...........: 0

Invalid SA...............: 0

Reassembly Frag RX.......: 0

Decryption Side Controller Statistics

=====================================

Frames RX................: 2099068231

Bytes RX.................: 798417923480

Mcast/Bcast Frames RX....: 0

RX Less 128Bytes.........: 1150381

RX Less 512Bytes.........: 1688228933

RX Less 1KBytes..........: 127799452

RX Less 9KBytes..........: 281889465

RX Frames Drop...........: 0

Frames TX................: 2839211917

Bytes TX.................: 2880190211025

Encryption Side Data Path Statistics

====================================

Packets RX...............: 2839538285

Packets TX...............: 2839211894

IPSec Transport Mode.....: 2820128534

IPSec Tunnel Mode........: 0

GRE Encapsulations.......: 0

NAT-T Encapsulations.....: 0

LAF prefragmented........: 0

Fragmented...............: 0

Clear....................: 0

Packets Drop.............: 326391

Encryption Errors........: 98871

HA Standby Drop..........: 0

Hard life Drop...........: 0

Invalid SA...............: 0

ICMP Unreachable DF set..: 0

Reassembly Frag RX.......: 0

Encryption Side Controller Statistics

=====================================

Frames RX................: 2839732733

Bytes RX.................: 2799883016643

Mcast/Bcast Frames RX....: 0

RX Less 128Bytes.........: 5731627

RX Less 512Bytes.........: 943342077

RX Less 1KBytes..........: 100500609

RX Less 9KBytes..........: 1790158420

RX Frames Drop...........: 0

Frames TX................: 2098741815

Bytes TX.................: 719268541198

Labels:
0 Helpful
3 Replies 3

wzhang
Cisco Employee
Cisco Employee

‎11-08-2010 01:27 PM

Hi,

With the VSPA on the 6500, commands like "show crypto engine config" and "show crypto engine brief" are not supported. From your "show crypto eli" and "show crypto engine stat" output, it looks like the SPA is the active crypto engine, and it's working fine. I hope this helps.

Thanks,

Wen

0 Helpful

davidmv13
Level 1
Level 1
In response to wzhang

‎11-08-2010 01:38 PM

Thanks....that is what I was thinking, I just cannot find any documentation on Cisco to support that theory.  Thanks for the response.

0 Helpful

wzhang
Cisco Employee
Cisco Employee
In response to davidmv13

‎11-08-2010 06:06 PM

Hi,

I'm not aware of any public documentation. The closest that I could find was this:

http://tools.cisco.com/Support/BugToolKit/search/getBugDetails.do?method=fetchBugDetails&bugId=CSCsf21243

I hope this helps.

Thanks,

Wen

0 Helpful
Customers Also Viewed These Support Documents