Velocity Reviews - Computer Hardware Reviews

Velocity Reviews > Newsgroups > Computing > Cisco > AIM-VNP/BP module for Cisco Router 2600

Reply
Thread Tools

AIM-VNP/BP module for Cisco Router 2600

 
 
bensonlei@yahoo.com.hk
Guest
Posts: n/a
 
      03-23-2011
Hi,

We found errors for the router 2600 with AIM module ( WAN Link =
1Mbit ), and LAN = 100Mbit, VPN encryption tunnel is formed over the
WAN Link, and found the following issue:

-----------------------------

..Mar 22 01:22:05.411 HKT: %HW_VPN-1-HPRXERR: Virtual Private Network
(VPN) Module0/2: Packet Encryption/Decryption error, status=4100
Mar 22 08:26:29.253 HKT: %CRYPTO-3-IKE_PAK_IN_Q_TIME_LIMIT_EXCEED: Pak
spent too much time in the IKE input queues
Mar 22 08:26:39.774 HKT: %OSPF-5-ADJCHG: Process 10, Nbr 10.26.9.8 on
Tunnel25 from EXCHANGE to DOWN, Neighbor Down: Dead timer expired

---------------------------


Anybody knows the issue ?

Thanks so much


 
Reply With Quote
 
 
 
 
mixig
Guest
Posts: n/a
 
      03-23-2011
from cisco web site:

a.. f the IKE process is under heavy load, incoming IKE packets may spend
too much time in the IKE input queue which will result in the generation of
a error level (severity 3) Syslog message. The Syslog message is
%CRYPTO-3-IKE_PAK_IN_Q_TIME_LIMIT_EXCEED which has this format:
%CRYPTO-3-IKE_PAK_IN_Q_TIME_LIMIT_EXCEED : Pak spent too much time in the
IKE input queues
Additional information on those syslog messages can be found at
http://www.cisco.com/en/US/docs/ios/....html#wp715560.
All %CRYPTO-3-IKE_PAK_IN_Q_TIME_LIMIT_EXCEED messages should be investigated
to determine if this issue is being exploited.

a.. Show crypto isakmp sa
Use the command show crypto isakmp sa to view the Internet Security
Association Key Management Protocol (ISAKMP) security associations (SAs)
table to determine if an excessive number of main mode no state
(MM_NO_STATE) entries are present. ISAKMP SAs in MM_NO_STATE indicates that
the was a main mode failure between IPSec peers and that their IKE phase 1
policies did not match. An excessively large number may be an indication of
an attempt to exploit this issue.
Example output for show crypto isakmp sa:
vpn-router#show crypto isakmp sa | include MM_NO_STATE

<(E-Mail Removed)> wrote in message
news:(E-Mail Removed)...
> Hi,
>
> We found errors for the router 2600 with AIM module ( WAN Link =
> 1Mbit ), and LAN = 100Mbit, VPN encryption tunnel is formed over the
> WAN Link, and found the following issue:
>
> -----------------------------
>
> .Mar 22 01:22:05.411 HKT: %HW_VPN-1-HPRXERR: Virtual Private Network
> (VPN) Module0/2: Packet Encryption/Decryption error, status=4100
> Mar 22 08:26:29.253 HKT: %CRYPTO-3-IKE_PAK_IN_Q_TIME_LIMIT_EXCEED: Pak
> spent too much time in the IKE input queues
> Mar 22 08:26:39.774 HKT: %OSPF-5-ADJCHG: Process 10, Nbr 10.26.9.8 on
> Tunnel25 from EXCHANGE to DOWN, Neighbor Down: Dead timer expired
>
> ---------------------------
>
>
> Anybody knows the issue ?
>
> Thanks so much
>
>



 
Reply With Quote
 
 
 
Reply

Thread Tools

Posting Rules
You may not post new threads
You may not post replies
You may not post attachments
You may not edit your posts

BB code is On
Smilies are On
[IMG] code is On
HTML code is Off
Trackbacks are On
Pingbacks are On
Refbacks are Off


Similar Threads
Thread Thread Starter Forum Replies Last Post
How to configure port forwarding for a Cisco 2600 series router? CompGuy Cisco 11 09-28-2011 05:34 PM
PWR-2600-AC 2600 power supply to switch over a DC router? dehusk@gmail.com Cisco 2 08-09-2008 10:47 PM
Cisco 2600 router problem pinto Cisco 0 11-17-2004 04:26 PM
Using Cisco 2500 Power supply in 2600 Router Kirill Ponazdyr Cisco 0 02-05-2004 09:07 PM
Cisco 2600 router problem M Baker Cisco 2 12-25-2003 05:39 PM



Advertisments