AIM-VNP/BP module for Cisco Router 2600

Discussion in 'Cisco' started by bensonlei@yahoo.com.hk, Mar 23, 2011.

  1. Guest

    Hi,

    We found errors for the router 2600 with AIM module ( WAN Link =
    1Mbit ), and LAN = 100Mbit, VPN encryption tunnel is formed over the
    WAN Link, and found the following issue:

    -----------------------------

    ..Mar 22 01:22:05.411 HKT: %HW_VPN-1-HPRXERR: Virtual Private Network
    (VPN) Module0/2: Packet Encryption/Decryption error, status=4100
    Mar 22 08:26:29.253 HKT: %CRYPTO-3-IKE_PAK_IN_Q_TIME_LIMIT_EXCEED: Pak
    spent too much time in the IKE input queues
    Mar 22 08:26:39.774 HKT: %OSPF-5-ADJCHG: Process 10, Nbr 10.26.9.8 on
    Tunnel25 from EXCHANGE to DOWN, Neighbor Down: Dead timer expired

    ---------------------------


    Anybody knows the issue ?

    Thanks so much
     
    , Mar 23, 2011
    #1
    1. Advertising

  2. mixig Guest

    from cisco web site:

    a.. f the IKE process is under heavy load, incoming IKE packets may spend
    too much time in the IKE input queue which will result in the generation of
    a error level (severity 3) Syslog message. The Syslog message is
    %CRYPTO-3-IKE_PAK_IN_Q_TIME_LIMIT_EXCEED which has this format:
    %CRYPTO-3-IKE_PAK_IN_Q_TIME_LIMIT_EXCEED : Pak spent too much time in the
    IKE input queues
    Additional information on those syslog messages can be found at
    http://www.cisco.com/en/US/docs/ios/12_3t/system/messages/smg2tmsd.html#wp715560.
    All %CRYPTO-3-IKE_PAK_IN_Q_TIME_LIMIT_EXCEED messages should be investigated
    to determine if this issue is being exploited.

    a.. Show crypto isakmp sa
    Use the command show crypto isakmp sa to view the Internet Security
    Association Key Management Protocol (ISAKMP) security associations (SAs)
    table to determine if an excessive number of main mode no state
    (MM_NO_STATE) entries are present. ISAKMP SAs in MM_NO_STATE indicates that
    the was a main mode failure between IPSec peers and that their IKE phase 1
    policies did not match. An excessively large number may be an indication of
    an attempt to exploit this issue.
    Example output for show crypto isakmp sa:
    vpn-router#show crypto isakmp sa | include MM_NO_STATE

    <> wrote in message
    news:...
    > Hi,
    >
    > We found errors for the router 2600 with AIM module ( WAN Link =
    > 1Mbit ), and LAN = 100Mbit, VPN encryption tunnel is formed over the
    > WAN Link, and found the following issue:
    >
    > -----------------------------
    >
    > .Mar 22 01:22:05.411 HKT: %HW_VPN-1-HPRXERR: Virtual Private Network
    > (VPN) Module0/2: Packet Encryption/Decryption error, status=4100
    > Mar 22 08:26:29.253 HKT: %CRYPTO-3-IKE_PAK_IN_Q_TIME_LIMIT_EXCEED: Pak
    > spent too much time in the IKE input queues
    > Mar 22 08:26:39.774 HKT: %OSPF-5-ADJCHG: Process 10, Nbr 10.26.9.8 on
    > Tunnel25 from EXCHANGE to DOWN, Neighbor Down: Dead timer expired
    >
    > ---------------------------
    >
    >
    > Anybody knows the issue ?
    >
    > Thanks so much
    >
    >
     
    mixig, Mar 23, 2011
    #2
    1. Advertising

Want to reply to this thread or ask your own question?

It takes just 2 minutes to sign up (and it's free!). Just click the sign up button to choose a username and then you can ask your own questions on the forum.
Similar Threads
  1. Mimmus

    AIM-ATM module not recognized

    Mimmus, Jun 9, 2004, in forum: Cisco
    Replies:
    5
    Views:
    793
    Mimmus
    Jun 18, 2004
  2. Replies:
    0
    Views:
    635
  3. Replies:
    0
    Views:
    552
  4. Replies:
    2
    Views:
    863
  5. Giuen
    Replies:
    0
    Views:
    1,425
    Giuen
    Sep 12, 2008
Loading...

Share This Page