January 19, 2001
Cisco 7200 and Cisco Virtual Private Network (CVPN) 7100 Series Routers running service adapter-integrated service adapter (SA-ISA) and/or service module-integrated service module (SM-ISM) hardware (HW) Encryption Accelerator cards and operating with Cisco IOS® Software Releases 12.1(3)E4, 12.1(4)E, 12.1(5a)E 56i, and k2 IOS Images.
The Hardware (HW) Encryption Accelerator card ceases to function in the router when presented with heavy traffic for prolonged periods:
Heavy Traffic > 50Mbps \
Large Number of Tunnels > 250
Specific thresholds vary and depend upon:
number of tunnels
cryptographic transform set in use
total Mbps throughput
The complexity of variables involved are such that Cisco recommends upgrading immediately to Cisco IOS Software Release 12.1(5a)E2 or later, per the Workaround/Solution section instructions below.
A firmware incompatibility issue between Cisco IOS crypto (Data Encryption Standard [DES & 3DES] ) images and the SA-ISA and SM-ISM HW encryption cards was discovered and rectified in Cisco IOS Software Release 12.1(5a)E2. There is no need for a return material authorization (RMA) HW for this issue. Please reference the Workaround / Solution section below for a link to Cisco.com's software center.
The SA-ISA or SM-ISM will shutdown. Ipsec tunnels will drop. The router will then switch to the IOS SW-based cryptographic services.
One scenario is that the IOS senses a SA-ISA / SM-ISM heartbeat failure, and will shutdown the SA-ISA / SM-ISM card, causing all tunnels to drop and then rebuild.
Example error message output and command line interface (CLI) show command:
00:20:03: %ISA-6-INFO: ISA slot 5: Firmware heartbeat failed Kasmir#show crypto isakmp sa dst src state conn-id slot 188.8.131.52 184.108.40.206 QM_IDLE 1 0
Please upgrade to Cisco IOS Software Release 12.1(5a)E2 or later. For more information, visit:
To follow the bug ID link below and see detailed bug information, you must be a registered user and you must be logged in.
12.1(4)E and 12.1(5a)E 56i and k2 IOS Images
Cisco IOS Versions Affected
For More Information
If you require further assistance, or if you have any further questions regarding this field notice, please contact the Cisco Systems Technical Assistance Center (TAC) by one of the following methods:
Receive Email Notification For New Field Notices
Product Alert Tool - Set up a profile to receive email updates about reliability, safety, network security, and end-of-sale issues for the Cisco products you specify.