Unanswered Question
Dec 1st, 2008

Welcome to the Cisco Networking Professionals Ask the Expert conversation. This is an opportunity to get an update for learning how to extend your Cisco Catalyst 6500 Series infrastructure with scalable IP Security (IPSec) VPN aggregation with Cisco expert Tim Van Herck. Tim is a technical marketing engineer in the access routing technology group at Cisco, focusing on VPN headend devices. He worked in the San Jose headquarters after a two-year assignment in Brussels, Belgium. Tim has worked for Cisco for seven years, starting as a development test engineer, focusing on performance and system level testing, for high-end VPN products. He has worked in the communications industry for over 10 years. He holds a master's degree in industrial engineering, majoring in computer science.

Remember to use the rating system to let Tim know if you have received an adequate response.

Tim might not be able to answer each question due to the volume expected during this event. Our moderators will post many of the unanswered questions in other discussion forums shortly after the event. This event lasts through December 12, 2008. Visit this forum often to view responses to your questions and the questions of other community members.

I have this problem too.
0 votes
  • 1
  • 2
  • 3
  • 4
  • 5
Overall Rating: 5 (9 ratings)
herckt Tue, 12/02/2008 - 14:30

A maximum of 10 VSPA modules can be deployed in a single chassis, providing an aggregate performance of 80 Gbps.

billy10012 Mon, 12/01/2008 - 16:47

I have a Cisco 1720 Router and i cant find the IOS software where can i download the software

Second. I am having installation problems with the router i cant find the network card interface on back i just have the 56k and the console interface card Tue, 12/02/2008 - 06:35

Hi,i m getting below log in the router, if i do sh crypto isakmp sa it is showing 'QM_IDLE'.


%CRYPTO-6-IKMP_MODE_FAILURE: Processing of Quick mode failed with peer at x.x.x.x.

Pls suggest/advice me any misconfig occured in IPSec config.?



herckt Tue, 12/02/2008 - 14:38

The error message indicates a failure to negotiate the IPsec Phase 2 Security Association (also called Quick Mode). This is likely a result of mismatching transform sets or incorrect crypto ACL's at one of the peers. Wed, 12/03/2008 - 04:43

Hi,thanks a lot!! have noticed Crypto ACL mismatch... let me correct n check..



ekatscisco Thu, 12/04/2008 - 09:44

i have a firewall ASA 5510 and its flash memory is missing how may i get a new one?

Also i have an 24port catalyst but i use an other one because when i try to connect all cables at catalyst nothing works (its at default state) should i make it to do something particular with CLI?

herckt Thu, 12/11/2008 - 22:39

Flash memory for your ASA can be ordered directly from the Cisco website or from any of our partners. The product code is ASA5500-CF-256MB= or ASA5500-CF-512MB= depending on the desired size.

For your Catalyst switch I would advise you to open a TAC case as this is a question that is outside the scope of this forum.

herckt Mon, 12/08/2008 - 14:03

The Catalyst 3750 is a fixed switch in terms of fiber ports and can have 2 10GE or 4 GE ports. 12 ports cannot be provisioned on a single switch but this can be achieved by stacking 3 switches.

amritpatek Mon, 12/08/2008 - 09:42

Can I use my existing VPNSPA and install a VSPA for increased performance?

herckt Mon, 12/08/2008 - 14:05

Yes. If a Catalyst 6500 chassis is already populated with one or more VPN SPA (SPA-IPSEC-2G) modules, additional VSPA (WS-IPSEC-3) modules can be used to augment overall VPN bandwidth of the chassis. A maximum of 10 modules combined can be provisioned in a single chassis providing up to 80 Gbps aggregated IPsec VPN throughput.

sandeep.choudhary Wed, 12/10/2008 - 04:16

Hi,I am trying to implement IPSEC DDR backup solution between two c1811 router using p2p DDR based access & two analog lines connected to V92 port.There are three scenarios:


When Dialer dial other side,the CHAT script gives error "Chat script dialout finished, status = Connection timed out; remote host not responding" & TTY1: Line reset by "Async dialer".When I do reverse telnet to one modem and dial the other side modem,i get connect at different speed.



I have attached the config & debug output. I will appreciate your advice on the same.

rubens.palhoni Wed, 12/10/2008 - 07:47

Hi personal,

I'm trying to configure an IPsec VPN Remote Access so that users can access network resources internally. My equipment is a 6513 and I am using a VPN module SPA 4000.

The users can connect, establish the tunnel but can not access anything. Can you help me? I think I got error of deployment. Here is a topology of my environment like this today. The only difference is that I have a FWSM as a gateway to the Internet.

Regards to all

herckt Thu, 12/11/2008 - 22:34

There is indeed a deployment error here. You have basically bridged traffic through the FWSM but not through the VPN SPA. This is achieved by vlan chaining where each of the modules rely and an inside and outside vlan.

For the VPN SPA the bridging is facilitated through the 'crypto connect vlan N' command which is applied to the outside vlan, which in this case has to coincide with the inside FWSM vlan (5). This VPN SPA outside vlan will have no IP address as it is purely bridging. The IP address will be place on the inside vlan, which besides a crypto map also has a 'crypto engine subslot s/b' command that specifies which engine will be used.

In short, another vlan needs to be added to bridge the traffic through the VPN SPA. The configuration will need to be modified to match the following flow:

interface vlan 20

! Has switchport physical interfaces

! Is outside FWSM vlan


interface vlan 5

! Is inside FWSM vlan & outside VPN SPA vlan

no ip address

crypto connect vlan N


interface vlan N

! Is inside VPN SPA vlan

ip address

crypto map VPN redundancy hsrp-Vl5-5

crypto engine subslot 3/0

On the FWSM, also ensure that UDP 500 and 4500 are open, as well as ESP and AH protocol.

HWangLoyalty_2 Thu, 12/11/2008 - 14:39

We have serval VPN tunnels which is connected our VPN module on our 6500 core switch. We have recently experienced connection issue with one of VPN tunnels. The remote peer use PIx or ASA running 7.0(7).When the issue happened, show isakmp and show ipsec are fine. when we tried to connect our vdenor, we could find that the count of pkts encrypt is increased, but the count of pkts decaps did not any change. It looks like that all traffics come into "black hole". I have to clear ipsec sa to rebuild this tunnel because isakmp sa is fine. My question is:

For keep the same policy with remote peer, we change ipsec life time from 3600 (by default to VPN module) to 28800. But we did not change idle time for that. Do we need change it? do you know the default idle-time on PIX or ASA 7.0(7) and VPN mosule?

Please advice. Thanks

herckt Thu, 12/11/2008 - 22:13

This is likely due to an SA that has rekeyed only on one peer, which indeed leads to packets to being black holed on one end. One thing to check here is to see if both peers share the same SPI values for a given IPsec SA.

On the receiving side (the peer where no packets appear to be decrypted), you should see invalid SPI messages on the console indicating that it received an ESP/AH packet for which it has no SPI i.e. security policy.

I would first ensure that DPD or IKE keepalives are enabled, which will monitor the IKE SA between the two devices. (crypto isakmp keepalive). If there is any NAT between the chassis, also set 'crypto isakmp nat keepalive'.

Next, enable 'crypto isakmp invalid-spi-recovery, which allows SPI's to be recycled and eliminates the need to re-establish a tunnel.

To your question, idle time and life time operate independent from each other. Idle time will terminate a tunnel after a set time no traffic has been recorded over the tunnel. Life time causes a tunnel to rekey, which is a standard operation for any IPsec tunnel. the life time indicates the maximum time that an SA can maintain the same keying material. So, in short, no, you would not need to adjust the value.

HWangLoyalty_2 Fri, 12/12/2008 - 08:19

Actuallly you are right. This is IPsec SA rekey process when I tried to clear IPsec session. In our vendor side, we could find "failed anti-replay checking" error message.

In our side, we did not trun on DPD or IKE keepalives, but our vendor did that.Do we need to enable that?

In our side, we already truned on "invalid-spi-recovery". But we did not know if our vendor trun on that. On PIX or ASA 7.0(7),is there the same command about that? If there is, our vendor need to enable it.

I know that idle time and life time operate independent from each other. but if we did not setup idle time, it would cause this issue? Actually i did not think so because this kind of issue was happened only this tunnel.

Please advice! thanks for your support.


This Discussion