-
This documentation has been moved
-
Overview: Secure Connectivity
-
Internet Key Exchange for IPsec VPNs
-
Configuring Internet Key Exchange for IPsec VPNs
-
Call Admission Control for IKE
-
Certificate to ISAKMP Profile Mapping
-
Encrypted Preshared Key
-
Fragmentation of IKE Packets
-
IKE Responder-Only Mode
-
Distinguished Name Based Crypto Maps
-
IPsec and Quality of Service
-
VRF-Aware IPsec
-
IKE: Initiate Aggressive Mode (12.2(8)T FM)
-
Configuring Internet Key Exchange Version 2 (IKEv2)
-
-
Security for VPNs with IPsec
-
Configuring Security for VPNs with IPsec
-
IPsec Virtual Tunnel Interface
-
L2TP-IPsec Support for NAT and PAT Windows Clients
-
SafeNet IPsec VPN Client Support
-
Ability to Disable Extended Authentication for Static IPsec Peers
-
Sharing IPsec with Tunnel Protection
-
Crypto Conditional Debug Support
-
VPN Acceleration Module (VAM)
-
Option to Disable Hardware Crypto Engine Failover to Software Crypto Engine
-
- VPN Availability
-
IPsec Data Plane
-
IPsec Anti-Replay Window: Expanding and Disabling
-
Pre-Fragmentation for IPsec VPNs
-
Invalid Security Parameter Index Recovery
-
IPsec Dead Peer Detection Periodic Message Option
-
IPsec NAT Transparency
-
DF Bit Override Functionality with IPsec Tunnels
-
Crypto Access Check on Clear-Text Packets
-
IPsec Security Association Idle Timers
-
Low Latency Queueing (LLQ) for IPsec Encryption Engines
-
- IPsec Management
-
Public Key Infrastructure (PKI)
-
Implementing and Managing PKI Features Roadmap
-
Cisco IOS PKI Overview: Understanding and Planning a PKI
-
Deploying RSA Keys Within a PKI
-
Configuring Authorization and Revocation of Certificates in a PKI
-
Configuring Certificate Enrollment for a PKI
-
Setting Up Secure Device Provisioning (SDP) for Enrollment in a PKI
-
Configuring and Managing a Cisco IOS Certificate Server for PKI Deployment
-
Storing PKI Credentials
-
Source Interface Selection for Outgoing Traffic with Certificate Authority (CA)
-
IOS PKI Performance Monitoring and Optimization
-
- Dynamic Multipoint VPN (DMVPN)
- Easy VPN
-
Cisco Group Encrypted Transport VPN
- SSL VPN
-
Feedback
Table Of Contents
Option to Disable Hardware Crypto Engine
Failover to Software Crypto EnginePrerequisites for Option to Disable Hardware Crypto Engine Failover to Software Crypto Engine
Information About Option to Disable Hardware Crypto Engine Failover to Software Crypto Engine
Hardware Crypto Engine Failover to the Software Crypto Engine: Overview
Option to Disable Hardware Crypto Engine Failover
How to Configure Option to Disable Hardware Crypto Engine Failover to Software Crypto Engine
Disabling Hardware Crypto Engine Failover to the Software Crypto Engine
Disabled Hardware Crypto Engine Failover: Example
Option to Disable Hardware Crypto Engine
Failover to Software Crypto Engine
The Option to Disable Hardware Crypto Engine Failover to Software Crypto Engine feature gives you the option of configurirng your router so that failover to the software crypto engine does not occur even if the hardware crypto engine fails.
Feature History for Option to Disable Hardware Crypto Engine Failover to Software Crypto Engine
Finding Support Information for Platforms and Cisco IOS Software Images
Use Cisco Feature Navigator to find information about platform support and Cisco IOS software image support. Access Cisco Feature Navigator at http://tools.cisco.com/ITDIT/CFN/jsp/index.jsp. You must have an account on Cisco.com. If you do not have an account or have forgotten your username or password, click Cancel at the login dialog box and follow the instructions that appear.
Contents
•
Prerequisites for Option to Disable Hardware Crypto Engine Failover to Software Crypto Engine
•
•
Prerequisites for Option to Disable Hardware Crypto Engine Failover to Software Crypto Engine
•
Information About Option to Disable Hardware Crypto Engine Failover to Software Crypto Engine
To configure the Disable Hardware Crypto Engine Failover to Software Crypto Engine feature, you should understand the following concepts:
•
•
Hardware Crypto Engine Failover to the Software Crypto Engine: Overview
Cisco IOS IPSec traffic can be supported both by a hardware encryption engine and by a software crypto engine (that is, by the main CPU, which is running a software encryption algorithm). If the hardware encryption engine fails, the software on the main CPU attempts to perform the IPSec functions. However, the main CPU software routines have only a small percentage of bandwidth compared with those of the hardware encryption engine. If a sufficient amount of traffic is being handled by the hardware engine, it is possible that on failover, the main CPU may try to handle more traffic than it can, causing the router to fail.
Option to Disable Hardware Crypto Engine Failover
The Option to Disable Hardware Crypto Engine Failover to Software Crypto Engine feature allows you to configure your router so that the hardware crypto engine does not automatically fail over to the software crypto engine.
For situations in which you prefer that the software routines on the main CPU handle the hardware crypto engine failover, the default is that failover does occur.
How to Configure Option to Disable Hardware Crypto Engine Failover to Software Crypto Engine
This section contains the following procedure:
•
Disabling Hardware Crypto Engine Failover to the Software Crypto Engine
To disable hardware crypto engine failover to the software crypto engine, perform the following steps.
SUMMARY STEPS
1.
2.
3.
DETAILED STEPS
Configuration Examples for Option to Disable Hardware Crypto Engine Failover to Software Crypto Engine
This section includes the following configuration example:
•
Disabled Hardware Crypto Engine Failover: Example
The following example shows that hardware crypto engine failover to the software crypto engine has been disabled:
version 12.3service timestamps debug datetime msecservice timestamps log datetime msecno service password-encryption!hostname VPN-Gateway1!boot-start-markerboot-end-marker!!clock timezone EST 0no aaa new-modelip subnet-zero!!ip audit po max-events 100no ftp-server write-enable!!no crypto engine software ipsec!crypto isakmp policy 10authentication pre-sharecrypto isakmp key cisco123 address 209.165.201.2!!crypto ipsec transform-set basic esp-des esp-md5-hmac!crypto map mymap 10 ipsec-isakmpset peer 209.165.201.2set transform-set basicmatch address 101!!interface Ethernet0/0ip address 192.168.1.1 255.255.255.0!interface Serial1/0ip address 209.165.200.2 255.255.255.252 serial restart-delay 0 crypto map mymap!ip classlessip route 0.0.0.0 0.0.0.0 209.165.200.1no ip http serverno ip http secure-server!!access-list 101 permit ip 192.168.1.0 0.0.0.255 172.16.2.0 0.0.0.255 access-list 101 remark Crypto ACL!!!control-plane!!line con 0line aux 0line vty 0 4!!endAdditional References
The following sections provide references related to Option to Disable Hardware Crypto Engine Failover to Software Crypto Engine.
Related Documents
Standards
No new or modified standards are supported by this feature, and support for existing standards has not been modified by this feature.
—
MIBs
RFCs
No new or modified RFCs are supported by this feature, and support for existing RFCs has not been modified by this feature.
—
Technical Assistance
Command Reference
The following commands are introduced or modified in the feature or features
•
For information about these commands, see the Cisco IOS Security Command Reference at
http://www.cisco.com/en/US/docs/ios/security/command/reference/sec_book.html.
For information about all Cisco IOS commands, see the Command Lookup Tool at
http://tools.cisco.com/Support/CLILookup or the Master Command List.
CCDE, CCENT, CCSI, Cisco Eos, Cisco Explorer, Cisco HealthPresence, Cisco IronPort, the Cisco logo, Cisco Nurse Connect, Cisco Pulse, Cisco SensorBase, Cisco StackPower, Cisco StadiumVision, Cisco TelePresence, Cisco TrustSec, Cisco Unified Computing System, Cisco WebEx, DCE, Flip Channels, Flip for Good, Flip Mino, Flipshare (Design), Flip Ultra, Flip Video, Flip Video (Design), Instant Broadband, and Welcome to the Human Network are trademarks; Changing the Way We Work, Live, Play, and Learn, Cisco Capital, Cisco Capital (Design), Cisco:Financed (Stylized), Cisco Store, Flip Gift Card, and One Million Acts of Green are service marks; and Access Registrar, Aironet, AllTouch, AsyncOS, Bringing the Meeting To You, Catalyst, CCDA, CCDP, CCIE, CCIP, CCNA, CCNP, CCSP, CCVP, Cisco, the Cisco Certified Internetwork Expert logo, Cisco IOS, Cisco Lumin, Cisco Nexus, Cisco Press, Cisco Systems, Cisco Systems Capital, the Cisco Systems logo, Cisco Unity, Collaboration Without Limitation, Continuum, EtherFast, EtherSwitch, Event Center, Explorer, Follow Me Browsing, GainMaker, iLYNX, IOS, iPhone, IronPort, the IronPort logo, Laser Link, LightStream, Linksys, MeetingPlace, MeetingPlace Chime Sound, MGX, Networkers, Networking Academy, PCNow, PIX, PowerKEY, PowerPanels, PowerTV, PowerTV (Design), PowerVu, Prisma, ProConnect, ROSA, SenderBase, SMARTnet, Spectrum Expert, StackWise, WebEx, and the WebEx logo are registered trademarks of Cisco and/or its affiliates in the United States and certain other countries.
All other trademarks mentioned in this document or website are the property of their respective owners. The use of the word partner does not imply a partnership relationship between Cisco and any other company. (1002R)
Any Internet Protocol (IP) addresses and phone numbers used in this document are not intended to be actual addresses and phone numbers. Any examples, command display output, network topology diagrams, and other figures included in the document are shown for illustrative purposes only. Any use of actual IP addresses or phone numbers in illustrative content is unintentional and coincidental.
© 2009-2010 Cisco Systems, Inc. All rights reserved.