[c-nsp] Troubling IPSec issues with a 6500

Pete S. pshuleski at gmail.com
Wed Sep 12 11:52:49 EDT 2007

I was under the impression that it was software-based unless you hard
the IPSEC SPA module.

I haven't heard of an issue like that though.  Although i have
experienced similar issues like wccp would not redirect unless i
enabled netflow on the interface.  I guess it kicked it into software
and then wccp would work.

One issue we have had with ipsec is the adjust-mss command is not
available on the 6500 until a later release.  I have not checked up if
it is in the latest SXF yet however.  Until it is, You will need to
clear the DF bit on all traffic exiting the tunnels which means more
cpu required to re-assemble on the remote side.

On 9/12/07, Gert Doering <gert at greenie.muc.de> wrote:
> Hi,
> On Wed, Sep 12, 2007 at 09:10:52AM -0400, Aaron Daubman wrote:
> > I have a client that's run into some trouble with IPSec-over-GRE and
> > I'm trying to help debug.  The problem sounds very familiar, however I
> > haven't come up with a solution yet in my searches...
> >
> > The basic setup is:
> >
> > 7206(GigE)<------>(GigE)6500
> Are you sure IPSEC on the 6500 is supported?
> >From your description, this sounds as if
>  - CPU switched traffic (locally generated) will use IPSEC
>  - hardware-switched traffic will only do GRE (because the hardware knows
>    how to do that).
> As far as I understand the architecture, a basic 6500 won't do IPSEC...
> gert
> --
> USENET is *not* the non-clickable part of WWW!
>                                                            //www.muc.de/~gert/
> Gert Doering - Munich, Germany                             gert at greenie.muc.de
> fax: +49-89-35655025                        gert at net.informatik.tu-muenchen.de
> _______________________________________________
> cisco-nsp mailing list  cisco-nsp at puck.nether.net
> https://puck.nether.net/mailman/listinfo/cisco-nsp
> archive at http://puck.nether.net/pipermail/cisco-nsp/

More information about the cisco-nsp mailing list