Filter
Top Products
4-23
C7200 VSA (VPN Services Adapter) Installation and Configuration Guide
OL-9129-02
Chapter 4 Configuring the VSA
Monitoring and Maintaining the VSA
To see if the IKE/IPSec packets are being redirected to the VSA for IKE negotiation and IPSec
encryption and decryption, enter the show crypto eli command. The following is sample output when
Cisco IOS software redirects packets to the VSA:
Router# show crypto eli
Hardware Encryption : ACTIVE
Number of hardware crypto engines = 1
CryptoEngine VSA details: state = Active
Capability : DES, 3DES, AES, RSA
IKE-Session : 0 active, 5120 max, 0 failed
DH : 0 active, 5120 max, 0 failed
IPSec-Session : 0 active, 10230 max, 0 failed
When the software crypto engine is active, the show crypto eli command yields no output.
When the Cisco IOS software agrees to redirect crypto traffic to the VSA, it prints a message similar to
the following:
%ISA-6-INFO:Recognised crypto engine (0) at slot-0
...switching to hardware crypto engine
To disable the VSA, use the configuration mode no crypto engine accelerator <slot> command, as
follows:
Router(config)# no crypto engine accelerator 0
...switching to SW crypto engine
Router(config)#
*Feb 6 11:57:26.763: %VPN_HW-6-INFO_LOC: Crypto engine: slot 0 State changed to:
Disabled
*Feb 6 11:57:26.779: %PA-3-DEACTIVATED: port adapter in bay [0] powered off.
*Feb 6 11:57:26.779: %CRYPTO-6-ISAKMP_ON_OFF: ISAKMP is OFF
Router(config)#end
Monitoring and Maintaining the VSA
This section includes the following topics:
• Using Deny Policies in Access Lists, page 4-23
• Monitor and Maintenance Commands, page 4-24
Using Deny Policies in Access Lists
Specifying a deny address range in an access list results in “jump” behavior. When a denied address
range is hit, it forces the search to “jump” to the beginning of the access list associated with the next
sequence on a crypto map and continue the search. If you want to pass clear traffic on these addresses,
you must insert a deny address range for each sequence on a crypto map. In turn, each permit list of
addresses inherits all the deny address ranges specified in the access list. A deny address range causes
the software to do a subtraction of the deny address range from a permit list, and creates multiple permit
address ranges that need to be programmed in hardware. This behavior can cause repeated address
ranges to be programmed in the hardware for a single deny address range, resulting in multiple permit
address ranges in a single access list.