Interoperability issues with Nortel Contivity 1010 ?
Good day All,
I have two questions related to the subject of this post.
1. What does the router process "crypto engine pr" handle for the router?
2. Has anyone experience interoperability issues with Nortel Contivity devices (or similar experiences as described below)?
First: What does the router process "crypto engine pr" handle for the router? I've posed this question more than several times to an open SR I had with TAC but no response did I receive. Having this information may provide some additional insight to the root cause of my router hanging every 2 hours (as described further below).
Secondly: We ran into what appears to be an interoperability issue with a Nortel Contivity 1010 VPN device and our site to site VPN environment. Through process of elimination we found this to be true.
The symptoms we observed were that every 2 hours the router would hang and all VPN site to site associations would hang, drop and no sessions were able to reconnect. One tell tale sign this was happening was that the router process "crypto engine pr" would run 80+% and never drop. Eventually SSH access was unavailable to the subject core VPN hub router and it had to be reloaded only to start the 2 hour cycle again. We built an internet facing ACL to deny all inbound peer traffic and through process of elimination found the offending site.
We have over 580 IPSec site to site VPN sessions defined on this router with no problems before the offending site became active. This VPN hub is a 7206VXR G2 VAM+ running IOS version 12.4(24)T3
Through internet seach I found more details about the Nortel device, namely it was discontinued by manufacturing in 2008 and end of support is 2013. I realize one way to protect my environment is to disallow non-supported and maintained devices, but this is more of a sales offering challenge than a network engineering issue.
Still, to try and protect my environment I am planning to place on the VPN edge layer a Quarentine router to connect this offernding peer to in order to gather some more detailed information so we can bring this site online (or provide additional information to our customer as to why this is not possible).
Thanks in advance for your thoughtful replies and information.
DocumentationCode download linksGoalRequirementLimitationsSupported ISR
and UCS-E ModelSupported ISRG2 and UCS-E Blades:Supported ISR4K and
UCS-E Blades:Step by Step ConfigurationConfigure one of the connectivity
options to access the Cisco IMC from the n...
Firepower Threat Defense (NGFWv) on UCS E-series - Transparent Mode in
HA DocumentationCode download linksGoalRequirementLimitationsSupported
ISR and UCS-E ModelSupported ISRG2 and UCS-E Blades:Supported ISR4K and
UCS-E Blades:Step by Step ConfigurationCo...
Question I am currently unable to specify "crypto keyring" command when
configuring VPN connection on my cisco 2901 router. The following
licenses have been activated on my router :