Re: SPA-IPSEC-2G

From: Nitin Venugopal (nitinsworld@gmail.com)
Date: Fri Jan 30 2009 - 12:36:43 ARST

Pls do share once its resolved!

Best Regds
Nitin

On Fri, Jan 30, 2009 at 5:23 PM, Antonio Soares <amsoares@netcabo.pt> wrote:

> Well, the "show crypto ipsec sa" does not show anything related with
> hardware or even software. My 343th TAC case is already opened
> :)
>
> I will let you know how this issue was resolved.
>
>
> Thanks.
>
> Regards,
>
> Antonio Soares, CCIE #18473 (R&S)
> amsoares@netcabo.pt
>
> -----Original Message-----
> From: nobody@groupstudy.com [mailto:nobody@groupstudy.com] On Behalf Of
> Nitin Venugopal
> Sent: quinta-feira, 29 de Janeiro de 2009 11:54
> To: Antonio Soares
> Cc: Rohyans, Aaron; security@groupstudy.com; ccielab@groupstudy.com
> Subject: Re: SPA-IPSEC-2G
>
> Hi Antonio,
>
> Have you enabled ipsec fragmentation on either sides of the tunnel, if not
> try doing it
>
> 'crypto ipsec fragmentation before-encryption'
>
> Then do a 'clear cryto isa' and 'clear crypto sa '...
>
> Initaite interesting tarffic and check again
>
> Regds
> Nitin
>
> On Thu, Jan 29, 2009 at 2:42 PM, Antonio Soares <amsoares@netcabo.pt>
> wrote:
>
> > Yes, we configured one tunnel again and i have this "show crypto eli"
> > output:
> >
> > ---------------------------------------------------------
> > Hardware Encryption : ACTIVE
> > Number of hardware crypto engines = 1
> >
> > CryptoEngine SPA-IPSEC-2G[3/0] details: state = Active
> > Capability :
> > IPSEC: DES, 3DES, AES, RSA
> >
> > IKE-Session : 1 active, 16383 max, 0 failed
> > DH : 0 active, 9999 max, 0 failed
> > IPSec-Session : 2 active, 65534 max, 0 failed
> > ---------------------------------------------------------
> >
> > So this should mean hw encryption is taking place. But why the "show
> > crypto engine brief" and "show crypto engine configuration" do not
> > show anything related with the SPA ? I will try to get some more
> > outputs but i agree with you: the issue is something else other than a
> > problem with the SPA.
> >
> >
> > Thanks.
> >
> > Regards,
> >
> > Antonio Soares, CCIE #18473 (R&S)
> > amsoares@netcabo.pt
> >
> > -----Original Message-----
> > From: nobody@groupstudy.com [mailto:nobody@groupstudy.com] On Behalf
> > Of Nitin Venugopal
> > Sent: quarta-feira, 28 de Janeiro de 2009 19:10
> > To: Antonio Soares
> > Cc: Rohyans, Aaron; security@groupstudy.com; ccielab@groupstudy.com
> > Subject: Re: SPA-IPSEC-2G
> >
> > Does you show crypto eli show you any IKE or IPSEC sessions ?
> >
> >
> > # show crypto eli
> > Hardware Encryption Layer : ACTIVE
> > Number of crypto engines = 1 .
> > CryptoEngine-SPA-IPSEC-2G[5/0] (slot-5/0) details.
> > Capability-IPSec : No-IPPCP, 3DES, AES, RSA
> > IKE-Session : 34 active, 10921 max, 0 failed
> > DH-Key : 0 active, 9999 max, 0 failed
> > IPSec-Session : 196 active, 21842 max, 0 failed
> >
> > Does your #show crypto ipsec sa indiacte hardware encryption
> >
> > local ident (addr/mask/prot/port): (172.21.20.0/255.255.254.0/0/0)
> > remote ident (addr/mask/prot/port): (172.25.107.0/255.255.255.0/0/0)
> > current_peer: 172.30.10.87:500
> > PERMIT, flags={origin_is_acl,}
> > #pkts encaps: 4333138, #pkts encrypt: 4333138, #pkts digest: 4333138
> > #pkts decaps: 3410511, #pkts decrypt: 3410511, #pkts verify: 3410511
> > #pkts compressed: 0, #pkts decompressed: 0
> > #pkts not compressed: 0, #pkts compr. failed: 0
> > #pkts not decompressed: 0, #pkts decompress failed: 0
> > #send errors 1, #recv errors 0
> > local crypto endpt.: 172.30.1.65, remote crypto endpt.: 172.30.10.87
> > path mtu 1500, media mtu 1500
> > current outbound spi: AA2573C
> > inbound esp sas:
> > spi: 0x919A3457(2442802263)
> > transform: esp-3des esp-sha-hmac ,
> > in use settings ={Tunnel, }
> > slot/subslot: 5/0, conn id: 11037, flow_id: 114, crypto map: mbank
> > crypto engine type: Hardware, engine_id: 2
> > sa timing: remaining key lifetime (k/sec): (205245/2336)
> > ike_cookies: A54055D1 12D8A90E 2E1AA3AE 499E095D
> > IV size: 8 bytes
> > replay detection support: Y
> > inbound ah sas:
> > inbound pcp sas:
> > outbound esp sas:
> > spi: 0xAA2573C(178411324)
> > transform: esp-3des esp-sha-hmac ,
> > in use settings ={Tunnel, }
> > slot/subslot: 5/0, conn id: 11038, flow_id: 115, crypto map: mbank
> > crypto engine type: Hardware, engine_id: 2
> > sa timing: remaining key lifetime (k/sec): (205249/2336)
> > ike_cookies: A54055D1 12D8A90E 2E1AA3AE 499E095D
> > IV size: 8 bytes
> > replay detection support: Y
> > outbound ah sas:
> > outbound pcp sas:
> >
> > I have a feeling , your SPA module is working but there are some other
> > issues causing drops. Also as per my understanding once you have SPA
> > module on your 7600 ...Software based encryption no more works. ( you
> > can try with a normal ipsec with no crypto slot
> > commands- It doesn't work)
> >
> > Can you share the output of command show crypto sessions?
> >
> > Best Regrds
> > Nithin
> >
> >
> > On Wed, Jan 28, 2009 at 9:53 PM, Antonio Soares <amsoares@netcabo.pt>
> > wrote:
> >
> > > When IPSec VTI is enabled, the response times are very high and with
> > > some drops. This was not seen with the previous IOS release. So we
> > > are assuming that hardware encryption is not taking place. But i
> > > need some commands to verify what is really going on with the
> SPA-IPSEC.
> > >
> > > The "show crypto eli" shows me that the SPA-IPSEC is "ACTIVE".
> > >
> > > But the "show crypto engine brief" and "show crypto engine
> configuration"
> > > do not show anything related with the SPA. So i really don't know if
> > > the SPA is doing its job or not.
> > >
> > > So now as an workaround, we have reconfigured all tunnel interfaces
> > > as regular GRE tunnels.
> > >
> > > Trying to answer some offline replies i received:
> > >
> > > 1) We have "VPNs in Crypto Connect Alternative Mode (CCA)":
> > >
> > >
> > > http://www.cisco.com/en/US/docs/interfaces_modules/shared_port_adapt
> > > er
> > > s/configuration/7600series/76cfvpn1.html#wp2494175
> > >
> > > 2) This configuration is supported with the hw/sw combination we
> > > have (12.2.33SRB2+SUP720-3B).
> > >
> > > 3) The "show module" and "show diag" outputs don't show any problems
> > > with the SSC-400 and SPA-IPSEC.
> > >
> > >
> > > Thanks.
> > >
> > > Regards,
> > >
> > > Antonio Soares, CCIE #18473 (R&S)
> > > amsoares@netcabo.pt
> > >
> > > -----Original Message-----
> > > From: Rohyans, Aaron [mailto:arohyans@dpsciences.com]
> > > Sent: quarta-feira, 28 de Janeiro de 2009 16:04
> > > To: Antonio Soares; security@groupstudy.com
> > > Cc: ccielab@groupstudy.com
> > > Subject: RE: SPA-IPSEC-2G
> > >
> > > Does the tunnel come up, but no traffic passes? There are a few
> > > things to
> > > try:
> > >
> > > 1. Disable the Crypto Accelerator and run in software mode to see
> > > if you can get the tunnels up and passing traffic. If yes, you may
> > > need to experiment with the settings on your Accelerator before
> > > re-enabling it (see option 2).
> > > 2. Try experimenting with different Phase 2 transforms. I've only
> > > seen an issue like this with ISRs on 12.4 using a VPN Accelerator,
> > > but essentially I couldn't run 3DES and had to either run AES or
> > > just DES before it would work - that or run in software mode.
> > >
> > > Hope this helps,
> > >
> > > Aaron T. Rohyans
> > > Senior Network Engineer
> > > CCIE #21945, CCSP, CCNA, CQS-Firewall, CQS-IDS, CQS-VPN, ISSP, CISP,
> > > JNCIA-ER DPSciences Corporation 7400 N. Shadeland Ave., Suite
> > > 245 Indianapolis, IN 46250
> > > Office: (317) 849-6772 x 7626
> > > Fax: (317) 849-7134
> > > arohyans@dpsciences.com
> > > http://www.dpsciences.com/
> > >
> > >
> > > -----Original Message-----
> > > From: nobody@groupstudy.com [mailto:nobody@groupstudy.com] On Behalf
> > > Of Antonio Soares
> > > Sent: Wednesday, January 28, 2009 7:44 AM
> > > To: security@groupstudy.com
> > > Cc: ccielab@groupstudy.com
> > > Subject: SPA-IPSEC-2G
> > >
> > > Hello group,
> > >
> > > Need help troubleshooting this one. One 7600 was upgraded from
> > > 12.2.18SXE1 to 12.2.33SRB2 and now the SPA-IPSEC-2G is not
> > > encrypting the traffic. In fact the module seems healthy but
> > > something is missing in the outputs bellow:
> > >
> > > ------------------------------------------------------------------
> > > 7606#show crypto eli
> > >
> > > Hardware Encryption : ACTIVE
> > > Number of hardware crypto engines = 1
> > >
> > > CryptoEngine SPA-IPSEC-2G[3/0] details: state = Active
> > > Capability :
> > > IPSEC: DES, 3DES, AES, RSA
> > >
> > > IKE-Session : 0 active, 16383 max, 0 failed
> > > DH : 0 active, 9999 max, 0 failed
> > > IPSec-Session : 0 active, 65534 max, 0 failed
> > >
> > > ------------------------------------------------------------------
> > > 7606#sh crypto en brief
> > >
> > > crypto engine name: Cisco VPN Software Implementation
> > > crypto engine type: software
> > > serial number: 00000000
> > > crypto engine state: installed
> > > crypto engine in slot: N/A
> > > ------------------------------------------------------------------
> > > 7606#sh crypto en conf
> > >
> > > crypto engine name: Cisco VPN Software Implementation
> > > crypto engine type: software
> > > serial number: xxxxxxxx
> > > crypto engine state: installed
> > > crypto engine in slot: N/A
> > > platform: Cisco Software Crypto Engine
> > >
> > > Crypto Adjacency Counts:
> > > Lock Count: 0
> > > Unlock Count: 0
> > > crypto lib version: 18.0.0
> > >
> > > 7606#
> > > ------------------------------------------------------------------
> > >
> > > What troubleshooting steps should i take ? The SPA is used to
> > > accelerate IPSec Virtual Tunnel Interfaces (IPsec VTIs). Here's the
> > > configuration of one tunnel interface:
> > >
> > > !
> > > interface Tunnelx
> > > ip unnumbered Loopbackx
> > > tunnel source x.x.x.x
> > > tunnel destination x.x.x.x
> > > tunnel mode ipsec ipv4
> > > tunnel protection ipsec profile CRYPTO-IPSEC-PROFILE crypto engine
> > > gre vpnblade crypto engine slot 3/0 inside !
> > >
> > >
> > > Thanks.
> > >
> > > Regards,
> > >
> > > Antonio Soares, CCIE #18473 (R&S)
> > > amsoares@netcabo.pt
> > >
> > >
> > > Blogs and organic groups at http://www.ccie.net
> > >
> > > ____________________________________________________________________
> > > __ _ Subscription information may be found at:
> > > http://www.groupstudy.com/list/CCIELab.html

Blogs and organic groups at http://www.ccie.net

This archive was generated by hypermail 2.1.4 : Sun Mar 01 2009 - 09:43:40 ARST