[c-nsp] Disable cryptographic hardware on Cisco 3845

David Prall dcp at dcptech.com
Mon Jun 18 19:47:05 EDT 2007 

Crypto Engines have to be identical. Crypto Engines have to be the AIM
modules HPII+ or EPII+, onboard is not supported. I would suspect the SSL
modules are supported now as well.

http://www.cisco.com/en/US/products/ps6350/products_configuration_guide_chap
ter09186a0080455b64.html#wp1043332

David

--
http://dcp.dcptech.com
  

> -----Original Message-----
> From: cisco-nsp-bounces at puck.nether.net 
> [mailto:cisco-nsp-bounces at puck.nether.net] On Behalf Of Joann Deng
> Sent: Monday, June 18, 2007 2:37 PM
> To: Rodney Dunn
> Cc: cisco-nsp at puck.nether.net
> Subject: Re: [c-nsp] Disable cryptographic hardware on Cisco 3845
> 
> I am configuring stateful failover for IPSec on rtp03 and 
> rtp04, but got the following error message, then I wondered 
> if I can disable the crypto hardware.
> 
> rtp03#
> *Jun 18 00:35:37.574:
> %CRYPTO_HA_IPSEC-4-CRYPTO_HA_NOT_SUPPORTED_BY_HW:
> Crypto hardware is enabled and it does not support HA 
> operation 'IPSec - extract keys'
> vzsjcnrtp03#
>  
> rtp04#    
> *Jun 18 00:42:28.026:
> %CRYPTO_HA_IKE-4-CRYPTO_HA_NOT_SUPPORTED_BY_HW: Crypto 
> hardware is enabled and it does not support HA operation 'IKE 
> - manual SA create'
> *Jun 18 00:42:28.026: %CRYPTO_HA_IKE-3-FAILOVER_ERROR:
> Attempt to failover IKE SA
> (209.114.76.195:160.33.128.84) failed due to crypto engine 
> does not support HA.  No stateful failover available for this SA.
> vzsjcnrtp04#
> 
> --- Rodney Dunn <rodunn at cisco.com> wrote:
> 
> > Why do you want to turn it off?
> > 
> > We do no recommend that at all becuase the performance is so much 
> > slower in the software path.
> > 
> > Please don't do it unless you are simply trying to narrow 
> down a bug.
> > 
> > Rodney
> > 
> > 
> > <snip>
> > 3800-1#sh ver | incl IOS
> > Cisco IOS Software, 3800 Software
> > (C3845-ADVIPSERVICESK9-M), Version 12.4(8), RELEASE SOFTWARE (fc1) 
> > 3800-1#config t Enter configuration commands, one per line. 
>  End with 
> > CNTL/Z.
> > 3800-1(config)#no crypto engin acc
> > ...switching to SW crypto engine
> > 3800-1(config)#
> > *Jun 18 18:23:00.418: %VPN_HW-6-INFO_LOC: Crypto
> > engine: onboard 0  State changed to: Disabled 
> > 3800-1(config)# crypto engin acc   
> > ...switching to HW crypto engine
> > 3800-1(config)#
> > *Jun 18 18:23:07.694: %VPN_HW-6-INFO_LOC: Crypto
> > engine: onboard 0  State changed to: Enabled 3800-1(config)# </snip>
> > 
> > On Mon, Jun 18, 2007 at 09:43:57AM -0700, Joann Deng
> > wrote:
> > > Hi group,
> > > 
> > > Anybody knows how to disable cryptographic
> > hardware on
> > > Cisco 3845? As depending on configuration, either
> > the
> > > internal Safenet chip or the IOS software is used for 
> cryptographic 
> > > operations on Cisco 3845,
> > and
> > > I'd like to use IOS instead of the hardware.
> > > 
> > > Thanks in advance,
> > > 
> > > Joann
> > > 
> > > 
> > >        
> > >
> >
> ______________________________________________________________
> ______________________
> > > Got a little couch potato? 
> > > Check out fun summer activities for kids.
> > >
> >
> http://search.yahoo.com/search?fr=oni_on_mail&p=summer+activit
> ies+for+kids&cs=bz
> > 
> > > _______________________________________________
> > > cisco-nsp mailing list  cisco-nsp at puck.nether.net 
> > > https://puck.nether.net/mailman/listinfo/cisco-nsp
> > > archive at
> > http://puck.nether.net/pipermail/cisco-nsp/
> > 
> 
> 
> 
>        
> ______________________________________________________________
> ______________________
> Take the Internet to Go: Yahoo!Go puts the Internet in your 
> pocket: mail, news, photos & more. 
> http://mobile.yahoo.com/go?refer=1GNXIC
> _______________________________________________
> cisco-nsp mailing list  cisco-nsp at puck.nether.net 
> https://puck.nether.net/mailman/listinfo/cisco-nsp
> archive at http://puck.nether.net/pipermail/cisco-nsp/
>

More information about the cisco-nsp mailing list