Guest

Cisco 7100 Series VPN Routers

Field Notice: Mandatory IOS Upgrade for Cisco 7200 and CVPN 7100 Series Routers Running SA-ISA or SM-ISM HW Encryption Cards


January 19, 2001


Products Affected

Cisco 7200 and Cisco Virtual Private Network (CVPN) 7100 Series Routers running service adapter-integrated service adapter (SA-ISA) and/or service module-integrated service module (SM-ISM) hardware (HW) Encryption Accelerator cards and operating with Cisco IOS® Software Releases 12.1(3)E4, 12.1(4)E, 12.1(5a)E 56i, and k2 IOS Images.

Problem Description

The Hardware (HW) Encryption Accelerator card ceases to function in the router when presented with heavy traffic for prolonged periods:

Heavy Traffic > 50Mbps \

-or-

Large Number of Tunnels > 250

Specific thresholds vary and depend upon:

  • network topology

  • number of tunnels

  • cryptographic transform set in use

  • total Mbps throughput

The complexity of variables involved are such that Cisco recommends upgrading immediately to Cisco IOS Software Release 12.1(5a)E2 or later, per the Workaround/Solution section instructions below.

Background

A firmware incompatibility issue between Cisco IOS crypto (Data Encryption Standard [DES & 3DES] ) images and the SA-ISA and SM-ISM HW encryption cards was discovered and rectified in Cisco IOS Software Release 12.1(5a)E2. There is no need for a return material authorization (RMA) HW for this issue. Please reference the Workaround / Solution section below for a link to Cisco.com's software center.

Problem Symptoms

The SA-ISA or SM-ISM will shutdown. Ipsec tunnels will drop. The router will then switch to the IOS SW-based cryptographic services.

One scenario is that the IOS senses a SA-ISA / SM-ISM heartbeat failure, and will shutdown the SA-ISA / SM-ISM card, causing all tunnels to drop and then rebuild.

Example error message output and command line interface (CLI) show command:

00:20:03: %ISA-6-INFO: ISA slot 5: Firmware heartbeat failed 

Kasmir#show crypto isakmp sa
    dst           src          state        conn-id   slot
50.1.1.2       50.1.1.1       QM_IDLE           1       0

Workaround/Solution

Please upgrade to Cisco IOS Software Release 12.1(5a)E2 or later. For more information, visit:

Cisco.com software center (registered customers only)

DDTS

To follow the bug ID link below and see detailed bug information, you must be a registered user and you must be logged in.

DDTS

Description

CSCds19846 (registered customers only)

12.1(3)E4

CSCds81783 (registered customers only)

12.1(4)E and 12.1(5a)E 56i and k2 IOS Images

Cisco IOS Versions Affected

For More Information

If you require further assistance, or if you have any further questions regarding this field notice, please contact the Cisco Systems Technical Assistance Center (TAC) by one of the following methods:

Receive Email Notification For New Field Notices

Product Alert Tool - Set up a profile to receive email updates about reliability, safety, network security, and end-of-sale issues for the Cisco products you specify.