fw_qs_filled error

Answered Question
Mar 7th, 2007
User Badges:

Hi!!

Do you know the meaning of "fw_qs_filled" error counter on "show crypto engine accelerator statistics" command?!

Thanks

Cinzia

Correct Answer by Kamal Malhotra about 10 years 3 months ago

Hi Cinzia,


Are these counters increasing or these are at 0? I have not yet tried to find a meaning to these counters.


Regards,


Kamal

  • 1
  • 2
  • 3
  • 4
  • 5
Overall Rating: 4 (1 ratings)
Loading.
Correct Answer
Kamal Malhotra Wed, 03/07/2007 - 06:42
User Badges:
  • Cisco Employee,

Hi Cinzia,


Are these counters increasing or these are at 0? I have not yet tried to find a meaning to these counters.


Regards,


Kamal

csiracusa Wed, 03/07/2007 - 06:45
User Badges:

Hi Kmalhotr,

the counters are increasing....


Thanks

Cinzia

Kamal Malhotra Wed, 03/07/2007 - 07:06
User Badges:
  • Cisco Employee,

Hi Cinzia,


You seem to be hitting a bug. Which says "


"Symptoms: Small packets may be dropped when CEF is enabled. This situation may cause encryption or description failures for packets with a certain packet size.


Conditions: This symptom is observed when packets are switched on any interface via CEF or fast switching. The symptom affects packets with a small size (for example, 36 or 37 bytes).


Workaround: There is no workaround."


There is a duplicate bug of this one that is titled : VPN-NetGx: Excessive CPU usage with AH & multilink group


and it says "Using AH (authentication header) with ppp multilink-group uses excessive CPU. This happens only on the decrypt side. Two serial interfaces are bundled together on a "Multilink interface". On decryption Router A's CPU reaches 95% with just 100pps of 64 bytes and Router B's CPU reaches 95% with just 190ppps. Same routers, if used for

encryption with the same traffic do not use more than 5% of their CPU.

Even sofware crypto can decrypt the same amount of traffic with less than

5% of CPU.



This happens only with AH-SHA-HMAC or AH-MD5-HMAC and does not happen with:

ESP-3DES

ESP-3DES ESP-SHA-HMAC

ESP-3DES ESP-MD5-HMAC

ESP-AES

ESP-AES ESP-SHA-HMAC

ESP-AES ESP-MD5-HMAC

If we increase the rate, packets are dropped on the decrypt side. "fw_qs_filled" counters in "show crypto engine accelerator stat" will

start increasing and eventually traffic will stop. "


In this situation, I would recommend opening a TAC case for troubleshooting.


HTH,


Please do rate if it helps,


Regards,


Kamal

csiracusa Wed, 03/07/2007 - 08:10
User Badges:

Thanks a lot Kamal!!

If this counter will increase again I will open a TAC Case.

Best Regards and have a good time!!!

Cinzia


Actions

This Discussion