cancel
Showing results for 
Search instead for 
Did you mean: 
cancel
1760
Views
0
Helpful
0
Comments
TCC_2
Level 10
Level 10

Core Issue

On Cisco 2600/3600/3700 series routers with an installed Advanced Integration Module (AIM), encryption may still be performed by the main processor instead of the AIM. The reason for this may be a hardware and software incompatibility issue, a badly seated AIM, a faulty AIM, or a hardware failure on the backplane.

Resolution

The output of the show crypto engine config command is useful for determining the cause of the problem.

This is an example of the show crypto engine config command output with the incorrect Cisco IOS  Software installed:

Router#show crypto engine config

crypto engine name: unknown
crypto engine type: software
serial number: 59E1C9F9
crypto engine state: installed
crypto engine in slot: N/A

This is an example of a poorly seated AIM (all configuration hex values show 0):

Router#show crypto engine config

crypto engine name: Virtual Private Network (VPN) Module
crypto engine type: hardware

Configuration: 0x000000000000000000000000
: 0x000000000000000000000000
: 0x000000000000000000000000
: 0x000000000000000000000000

CryptIC Version: 000.000
CGX Version: 000.000
CGX Reserved: 0x0000
PCDB info: 0x0000 0x0000 0x0000
Serial Number: 0x0000000000
: 0x0000000000
DSP firmware version: 000.000
DSP Bootstrap Version: 000.000
DSP Bootstrap Info: 0x0000

Compression: No
3 DES: Yes
Privileged Mode: 0x0000
Maximum buffer length: 4096
Maximum DH index: 0470
Maximum SA index: 0940
Maximum Flow index: 1880
Maximum RSA key size: 0000

Ensure that the Cisco IOS Software version is compatible with the AIM, by referring to the Software Support for Hardware section of the Software Advisor.

Also check whether a Data Encryption Standard (DES) or a Triple Data Encryption Standard (3DES) image is loaded. The image name will include either "56i" for DES, or "k9" for 3DES. The following is an example of a DES image:

c2600-js56i-mz.121-5.T9.bin is a DES image

Try reseating the AIM. For complete installation instructions, refer to Installing Advanced Integration Modules in Cisco 2600 Series, Cisco 3600 Series, and Cisco 3700 Series Routers.

To verify that the card is now correctly detected issue the show crypto engine config command. The crypto engine type line should read hardware, and the Configuration field should contain valid hexadecimal numbers. The following is sample command output for a working AIM:

router#show crypto engine config

crypto engine name: Virtual Private Network (VPN) Module
crypto engine type: hardware

Configuration: 0x000109010F00F00784000000
: 0xA2112AB1AB68BA9C3992D377
: 0x295801AF4A12EFD108000300
: 0x00000000D78312B12546464B

CryptIC Version: 001.000
CGX Version: 001.009
CGX Reserved: 0x000F
PCDB info: 0x07F0 0x0084 0x0000
Serial Number: 0x11A2B12A68AB9CBA9239
: 0x77D35829AF01124AD1EF
DSP firmware version: 000.008
DSP Bootstrap Version: 000.003
DSP Bootstrap Info: 0x0000
Compression: No
3 DES: Yes
Privileged Mode: 0x0000
Maximum buffer length: 4096
Maximum DH index: 0470
Maximum SA index: 0940
Maximum Flow index: 1880
Maximum RSA key size: 0000

Crypto Adjacency Counts:
Lock Count: 0
Unlock Count: 0

If the values in the Configuration field are all 0s after loading the appropriate Cisco IOS Software version and reseating the AIM, either the AIM module or the motherboard is faulty.

When a hardware replacement is indicated after troubleshooting, choose from one of the following options:

  • If you have a hardware support contract directly with Cisco for this part, use the Service Order Submit Tool to request a replacement part directly.
  • For warranty service, contact the Cisco Technical Assistance Center (TAC) directly at 1-800-553-2447, or online by using the TAC Service Request Tool.
  • If your product is not covered by contract or warranty, contact your Cisco partner or reseller to request a replacement part for the hardware component that is causing the issue.
Getting Started

Find answers to your questions by entering keywords or phrases in the Search bar above. New here? Use these resources to familiarize yourself with the community:

Innovations in Cisco Full Stack Observability - A new webinar from Cisco