Chapter 4 Configuring the VSA

Monitoring and Maintaining the VSA

To see if the IKE/IPSec packets are being redirected to the VSA for IKE negotiation and IPSec encryption and decryption, enter the show crypto eli command. The following is sample output when Cisco IOS software redirects packets to the VSA:

Router# show crypto eli

Hardware Encryption : ACTIVE

Number of hardware crypto engines = 1

CryptoEngine VSA details: state =

Active

 

Capability

 

: DES, 3DES, AES,

RSA

 

IKE-Session

:

0

active,

5120

max, 0 failed

DH

:

0

active,

5120

max, 0

failed

IPSec-Session :

0

active, 10230

max, 0

failed

When the software crypto engine is active, the show crypto eli command yields no output.

When the Cisco IOS software agrees to redirect crypto traffic to the VSA, it prints a message similar to the following:

%ISA-6-INFO:Recognised crypto engine (0) at slot-0

...switching to hardware crypto engine

To disable the VSA, use the configuration mode no crypto engine accelerator <slot> command, as follows:

Router(config)# no crypto engine accelerator 0

...switching to SW crypto engine Router(config)#

*Feb 6 11:57:26.763: %VPN_HW-6-INFO_LOC: Crypto engine: slot 0 State changed to: Disabled

*Feb 6 11:57:26.779: %PA-3-DEACTIVATED: port adapter in bay [0] powered off.

*Feb 6 11:57:26.779: %CRYPTO-6-ISAKMP_ON_OFF: ISAKMP is OFF Router(config)#end

Monitoring and Maintaining the VSA

This section includes the following topics:

Using Deny Policies in Access Lists, page 4-23

Monitor and Maintenance Commands, page 4-24

Using Deny Policies in Access Lists

Specifying a deny address range in an access list results in “jump” behavior. When a denied address range is hit, it forces the search to “jump” to the beginning of the access list associated with the next sequence on a crypto map and continue the search. If you want to pass clear traffic on these addresses, you must insert a deny address range for each sequence on a crypto map. In turn, each permit list of addresses inherits all the deny address ranges specified in the access list. A deny address range causes the software to do a subtraction of the deny address range from a permit list, and creates multiple permit address ranges that need to be programmed in hardware. This behavior can cause repeated address ranges to be programmed in the hardware for a single deny address range, resulting in multiple permit address ranges in a single access list.

C7200 VSA (VPN Services Adapter) Installation and Configuration Guide

 

OL-9129-02

4-23

 

 

 

Page 56 Page 58
Page 57
Image 57
Cisco Systems C7200 manual Monitoring and Maintaining the VSA, Using Deny Policies in Access Lists
Page 56 Page 58
Top Page Image Contents