08-20-2004 04:32 AM - edited 02-21-2020 01:18 PM
Hi,
We have a set up a site-to-site VPN connection between two Cisco 3745 routers running 12.3.6. The tunnel is working fine, but sometimes the CPU utilization on both routers go up to 100% and I can see that it is the Encryption Process that is using the processor. When I do a "debug cry engine"
I get the following error:
CRYPTO_ENGINE: crypto_pak_coalesce: could not allocate pak
I tried to search for the error message, but could not find any results. Has anyone seen this messages and got a clue of what could be wrong?
Any help would be appreciated!
Regards,
Harald
08-26-2004 07:47 AM
Not sure if you are using any PIX firewalls in your network. If so, you may need to use PIX 5.1 or later. This is because earlier pix versions are by default configured to send syslog messages as traps. This might cause CPU hog especially when live event logging
08-27-2004 02:28 AM
There is a PIX between the two routers, but it is running version 6.3 and allows ESP and IKE traffic to pass through.
08-26-2004 07:47 PM
hi
can u post ur config if possible also sh version of ur routers ??
just to hv a insight view and also to chek/verify if config points are misconfigured which can also eats up the processor..
regds
08-27-2004 02:33 AM
I have included the configuration for the two routers below. Please note that there is a PIX between them which has IP addresses 10.2.2.41 and 10.1.1.8.
Thanks again for any help!
+++++++++++++++++++++++++++++++++++++
hostname Router1
!
ip subnet-zero
!
ip cef
!
crypto isakmp policy 10
hash md5
authentication pre-share
!
crypto isakmp key xxxxxxxxxxxxx address 10.1.1.7
!
crypto ipsec transform-set Tunnel esp-des esp-md5-hmac
!
crypto map VPN 10 ipsec-isakmp
set peer 10.1.1.7
set transform-set Tunnel
match address Region1
!
interface FastEthernet0/1
ip address 192.168.1.2 255.255.255.252
!
interface FastEthernet0/1
ip address 10.2.2.42 255.255.255.252
crypto map VPN
!
ip classless
ip route 0.0.0.0 0.0.0.0 192.168.1.1
ip route 10.0.0.0 255.0.0.0 10.2.2.41
ip route 192.168.32.0 255.255.255.0 10.2.2.41
!
!
ip access-list extended Region1
permit ip any 192.168.32.0 0.0.0.255
!
++++++++++++++++++++++++++++++++++
!
hostname Router2
!
ip subnet-zero
!
ip cef
!
crypto isakmp policy 10
hash md5
authentication pre-share
crypto isakmp key xxxxxxxxxxxxx address 10.2.2.42
!
crypto ipsec transform-set Tunnel esp-des esp-md5-hmac
!
crypto map VPN 10 ipsec-isakmp
set peer 10.2.2.42
set transform-set Tunnel
match address region1
!
!
interface FastEthernet0/0
ip address 10.1.1.7 255.255.255.0
crypto map VPN
!
interface FastEthernet0/1
ip address 192.168.32.0 255.255.255.0
!
ip classless
ip route 0.0.0.0 0.0.0.0 10.1.1.8
!
ip access-list extended region1
permit ip 192.168.32.0 0.0.0.255 any
!
========================================
08-27-2004 04:05 AM
Some additional information:
Router1#show crypto engine connections dropped-packet
Packets dropped because of crypto shutdown:
Interface IP-Address Drop Count
FastEthernet0/1 10.2.2.42 76
Packets dropped because of abnormal event occurred:
Interface IP-Address Drop Count
FastEthernet0/1 10.2.2.42 1062961
+++++++++++
PS By accident when I edited the configuration for posting I got two FastEthernet0/1 interfaces on Router 1. The IP address 192.168.1.2 should be on FastEthernet0/0.
08-28-2004 01:07 AM
Hi
AFAIU from u r configs u r encrypting the whole traffic being generated ..r u trying to encrypt ur internet traffic too with ur VPN ??
if thts the case it may also utilise ur CPU a lot.
regds
08-29-2004 07:47 AM
All the traffic from the region should be encrypted. This includes the Internet traffic for them. However, the regions are only connected with E1 links (to Router2), so I assume a 3745 CPU could handle encryption for such low bandwidth links?
Regards,
Harald
Find answers to your questions by entering keywords or phrases in the Search bar above. New here? Use these resources to familiarize yourself with the community: