Query on VAM2+

Answered Question
Nov 25th, 2008

Hi Team

In the output of "show crypto engine accelerator statistic" command, what is the significance of "ppq full errors" and "replay errors" and how can we reduce them?



I have this problem too.
0 votes
  • 1
  • 2
  • 3
  • 4
  • 5
Overall Rating: 5 (2 ratings)
vaibhav-g Wed, 11/26/2008 - 00:56


one last query

Thanks for the info. My orginal query still remains unanswered. According to the datasheet sent by you earlier, Cisco 7206 can support 5000 tunnels with 280 Mbps of encrypted data (with NPE-G1 processor) But, the the particular device in question is currently working with 600 approx. tunnels and 100Mbps of encrypted data, that too with a NPE-G2 processor. Can this device support the tunnels and encrypted data as given in the datasheet with the present memory and config (show tech sent earlier) Then, why is the device showing ppq full errors with 1Gb of RAM? What is the solution to ppq errors and replay errors?

Kindly treat this on priority.



Giuseppe Larosa Wed, 11/26/2008 - 04:13

Hello Vaibhav,

ppq errors means protected packets queues and refers to queues on the VAM2+

Number of packets dropped because of a lack of space in the packet processing queues for the VAM. This usually means that input traffic has reached VAM maximum throughput possible.

So the 1GB RAM of NPE-G2 plays no role here.

data sheet notes:

Throughput-Single VAM2+*

Up to 280 Mbps using 3DES or AES

As measured with IPSec 3DES HMAC-SHA1 on 1400 byte packets.

1400 bytes packets means:

280 Mbps / ((1400+100)*8) means 23,350 pps

So if your packets are smaller for example you are carrying VoIP packets inside the tunnels you can have an higher packet rate with 99 Mbps.

How to avoid errors:

I would consider in the mid long term to use two C7206VXR with VAM2+ and/or also to perform a design review.

Take in account also an upgrade of IOS, because in my case was needed.

Hope to help


vaibhav-g Wed, 11/26/2008 - 04:30

Hi Guseppe

Thanks a lot for such kind support.

Thank you so much



vaibhav-g Wed, 11/26/2008 - 21:15


Thanks a lot for the valuable info.

Any word on the maximum packets per second supported by VAM2+

Also, any suggestion for the IOS?



Giuseppe Larosa Wed, 11/26/2008 - 23:23

Hello Vaibhav,

we moved successfully to 12.4(20)T same feature set with your current release that was suggested by TAC we could never make stateful IPsec to work.

About the VAM2+ capabilities in pps: I think there is more more work in encryption of decryption of packets: part of the workload is dependent on the number of IP headers to be modified so my guess is that at least the queues are more used with many packets waiting to be encrypted or decrypted and so increasing the probability of some tail queue drops when the queues are full. ans this is exactly the description of pps errors.

What is this number of max pps I'm afraid it is not declared in the datasheet.

Hope to help



This Discussion