Field Notice: FN - 63206 - Configuring crypto maps in Crypto Connect Mode on 12.2(33)SXH4 based release can cause a sustained increase in CPU utilization
Revised March 23, 2009
March 23, 2009
THIS FIELD NOTICE IS PROVIDED ON AN "AS IS" BASIS AND DOES NOT IMPLY ANY KIND OF GUARANTEE OR WARRANTY, INCLUDING THE WARRANTY OF MERCHANTABILITY. YOUR USE OF THE INFORMATION ON THE FIELD NOTICE OR MATERIALS LINKED FROM THE FIELD NOTICE IS AT YOUR OWN RISK. CISCO RESERVES THE RIGHT TO CHANGE OR UPDATE THIS FIELD NOTICE AT ANY TIME.
Updated configuration examples in background section
Initial Public Release
All 6500 Chassis' - VPN-SPA
When you run Cisco IOS Software Release 12.2(33)SXH4 and configure crypto maps in Crypto Connect Mode, there is a chance for sustained high CPU.
When you run Cisco IOS Software Release 12.2(33)SXH4 and configure crypto maps in Crypto Connect Mode, some packets are software switched on the RP and can cause sustained high CPU on the 6500.
Configuration examples that can cause the problem:
Dynamic CM with ACL in Crypto Connect Mode
crypto dynamic-map test 10
set transform-set tset
match address 101
crypto map test_dcm 1 ipsec-isakmp dynamic test
access-list 101 permit ip <network_1> <netmask> <network_2> <netmask>
Static CM in Crypto Connect Mode
crypto map ipsecmap 1 ipsec-isakmp
set peer x.x.x.x
set transform-set ts
match address 110
access-list 110 permit ip <network_1> <netmask> <network_2> <netmask>
Possible high CPU can occur when you use crypto maps with Crypto Connect Mode in Cisco IOS Software Release 12.2(33)SXH4.
There are three work arounds at this time:
- Use a non 12.2(33)SXH4 based image, such as Cisco IOS Software Release 12.2(33)SXH3a. This defect does not manifest itself in a non 12.2(33)SXH4 code base.
- Use crypto maps in VRF Mode, if possible.
- Use a dynamic crypto map without an explict ACL instead.
To follow the bug ID link below and see detailed bug information, you must be a registered customer and you must be logged in.
|CSCek77996 (registered customers only)
||Integrated in: 12.2(32.08.11)XID112.3 12.2(32.08.11)XJC153.1 12.2(33)SXI 12.2(33.04.19)SXH
For More Information
If you require further assistance, or if you have any further questions about this field notice, contact the Cisco Systems Technical Assistance Center (TAC) by one of these methods:
Receive Email Notification For New Field Notices
Product Alert Tool - Set up a profile to receive email updates about reliability, safety, network security, and end-of-sale issues for the Cisco products you specify.