Cisco Support Community
cancel
Showing results for 
Search instead for 
Did you mean: 
Announcements

Welcome to Cisco Support Community. We would love to have your feedback.

For an introduction to the new site, click here. If you'd prefer to explore, try our test area to get started. And see here for current known issues.

New Member

Intermittant AIM-VPN problems on 3660

I have a cisco 3660 with the AIM-VPN/EP module, which participates in multiple ipsec tunnels to 3640 and 2611 series routers which also use AIM-VPN modules.

Once in a blue moon (every 3-5 weeks) the router stops passing VPN traffic.

A "sh crypto isa sa" shows all tunnels in QM-IDLE state, which is the same as when it is ok.

a "sh crypto eng acce stat" show some sequence failures in the middle column.

There was an old bug for the /hp module, but our cisco partner replaced this with an EP module, which solved the problem for a few months....or so we thought.

All other Ip functionality appears top still exist on the router e.g. Nat on some non vpn interfaces still works,as does Ip routing and telnet.

any ideas ?

1 REPLY
Silver

Re: Intermittant AIM-VPN problems on 3660

Have you received any error messages once the VPN traffic has stopped. Check if the router encrypts normally when hardware encryption is disabled with the "No crypto engine accellerator" command.

The ah_seq_fail or esp_seq_fail error counts increment in the output of the show crypto engine accelerator statistic, if there are Packet Encryption/Decryption errors. This happens when the VPN card is placed under stress using fast switching with a mixture of fragmented and unfragmented packets. If it is a fragmentation issue, then refer to the following document which gives you the details of the pre-fragmentation feature.

http://www.cisco.com/univercd/cc/td/doc/product/software/ios122/122newft/122t/122t13/ftprefrg.htm

Some IOS versions are deferred on certain platforms. Ensure that you are running 12.2(11)T3 or higher.

105
Views
0
Helpful
1
Replies