Mailing List Archive: Cisco: NSP

Troubling IPSec issues with a 6500

Index | Next | Previous | View Threaded

daubman at gmail

Sep 12, 2007, 6:10 AM

Post #1 of 7 (268 views)
Permalink

Troubling IPSec issues with a 6500

Greetings,

I have a client that's run into some trouble with IPSec-over-GRE and
I'm trying to help debug. The problem sounds very familiar, however I
haven't come up with a solution yet in my searches...

The basic setup is:

7206(GigE)<------>(GigE)6500

The IPSec (preshared) setup is pretty much straight out of a Cisco
IPSec-over-GRE example with one (possibly key) difference:
On the 6500, pretty much all traffic in/out is using single GigE
interface with multiple trunked Vlans.

The tunnel comes up and all show/debug output looks good. The 7200
works bi-directionally, however, the 6500 seems to be only encrypting
in a single direction for external traffic.

Traffic originating ON the 6500 (ping) gets encrypted and sent over
the tunnel, and all received IPSec traffic is decrypted, however,
traffic that comes in on one of the other vlans, is supposed to get
Tunneled and then encrypted and then sent out a different Vlan, only
gets GRE encapsulated and is skipping the IPSec crypto.

What I REALLY can't figure out is that the crypto map match access
list counters ARE incrementing for this traffic that is not being
encrypted...

The 6500 (Sup720-3a MSFC3) only has 64Mb flash, so it is running the
latest possible image that it can: 12.2.18-SXD7b
...there is no FWSM in the picture.

Any ideas?

Interestingly enough, the same (exact, VLANs and all) setup is working
between the 7200 and a 2600, with the only major difference I can see
being the hardware platform and the IOS release.

TIA,
~Aaron
_______________________________________________
cisco-nsp mailing list cisco-nsp[at]puck.nether.net
https://puck.nether.net/mailman/listinfo/cisco-nsp
archive at http://puck.nether.net/pipermail/cisco-nsp/

gert at greenie

Sep 12, 2007, 7:08 AM

Post #2 of 7 (262 views)
Permalink

Re: Troubling IPSec issues with a 6500 [In reply to]

Hi,

On Wed, Sep 12, 2007 at 09:10:52AM -0400, Aaron Daubman wrote:
> I have a client that's run into some trouble with IPSec-over-GRE and
> I'm trying to help debug. The problem sounds very familiar, however I
> haven't come up with a solution yet in my searches...
>
> The basic setup is:
>
> 7206(GigE)<------>(GigE)6500

Are you sure IPSEC on the 6500 is supported?

>From your description, this sounds as if

- CPU switched traffic (locally generated) will use IPSEC
- hardware-switched traffic will only do GRE (because the hardware knows
how to do that).

As far as I understand the architecture, a basic 6500 won't do IPSEC...

gert
--
USENET is *not* the non-clickable part of WWW!
//www.muc.de/~gert/
Gert Doering - Munich, Germany gert[at]greenie.muc.de
fax: +49-89-35655025 gert[at]net.informatik.tu-muenchen.de
_______________________________________________
cisco-nsp mailing list cisco-nsp[at]puck.nether.net
https://puck.nether.net/mailman/listinfo/cisco-nsp
archive at http://puck.nether.net/pipermail/cisco-nsp/

daubman at gmail

Sep 12, 2007, 8:21 AM

Post #3 of 7 (262 views)
Permalink

Re: Troubling IPSec issues with a 6500 [In reply to]

Gert,

On 9/12/07, Gert Doering <gert[at]greenie.muc.de> wrote:
...
>
> Are you sure IPSEC on the 6500 is supported?
>
> From your description, this sounds as if
>
> - CPU switched traffic (locally generated) will use IPSEC
> - hardware-switched traffic will only do GRE (because the hardware knows
> how to do that).
>
> As far as I understand the architecture, a basic 6500 won't do IPSEC...

Your answer seems (unfortunately) logically sound... how could I
verify if this is definitely the issue?

Thanks again,
~Aaron
_______________________________________________
cisco-nsp mailing list cisco-nsp[at]puck.nether.net
https://puck.nether.net/mailman/listinfo/cisco-nsp
archive at http://puck.nether.net/pipermail/cisco-nsp/

pshuleski at gmail

Sep 12, 2007, 8:52 AM

Post #4 of 7 (257 views)
Permalink

Re: Troubling IPSec issues with a 6500 [In reply to]

I was under the impression that it was software-based unless you hard
the IPSEC SPA module.

I haven't heard of an issue like that though. Although i have
experienced similar issues like wccp would not redirect unless i
enabled netflow on the interface. I guess it kicked it into software
and then wccp would work.

One issue we have had with ipsec is the adjust-mss command is not
available on the 6500 until a later release. I have not checked up if
it is in the latest SXF yet however. Until it is, You will need to
clear the DF bit on all traffic exiting the tunnels which means more
cpu required to re-assemble on the remote side.

On 9/12/07, Gert Doering <gert[at]greenie.muc.de> wrote:
> Hi,
>
> On Wed, Sep 12, 2007 at 09:10:52AM -0400, Aaron Daubman wrote:
> > I have a client that's run into some trouble with IPSec-over-GRE and
> > I'm trying to help debug. The problem sounds very familiar, however I
> > haven't come up with a solution yet in my searches...
> >
> > The basic setup is:
> >
> > 7206(GigE)<------>(GigE)6500
>
> Are you sure IPSEC on the 6500 is supported?
>
> >From your description, this sounds as if
>
> - CPU switched traffic (locally generated) will use IPSEC
> - hardware-switched traffic will only do GRE (because the hardware knows
> how to do that).
>
> As far as I understand the architecture, a basic 6500 won't do IPSEC...
>
> gert
> --
> USENET is *not* the non-clickable part of WWW!
> //www.muc.de/~gert/
> Gert Doering - Munich, Germany gert[at]greenie.muc.de
> fax: +49-89-35655025 gert[at]net.informatik.tu-muenchen.de
> _______________________________________________
> cisco-nsp mailing list cisco-nsp[at]puck.nether.net
> https://puck.nether.net/mailman/listinfo/cisco-nsp
> archive at http://puck.nether.net/pipermail/cisco-nsp/
>
_______________________________________________
cisco-nsp mailing list cisco-nsp[at]puck.nether.net
https://puck.nether.net/mailman/listinfo/cisco-nsp
archive at http://puck.nether.net/pipermail/cisco-nsp/

gert at greenie

Sep 12, 2007, 12:00 PM

Post #5 of 7 (256 views)
Permalink

Re: Troubling IPSec issues with a 6500 [In reply to]

Hi,

On Wed, Sep 12, 2007 at 11:21:34AM -0400, Aaron Daubman wrote:
> > As far as I understand the architecture, a basic 6500 won't do IPSEC...

Maybe this needs to be qualified: it will do it in software, but if the
hardware grabs the packet and sends it away before the software gets to
see it, no IPSEC...

> Your answer seems (unfortunately) logically sound... how could I
> verify if this is definitely the issue?

There are some Cisco (and other) folks on this list that know the platform
much better than I do - but if they don't know either, you'll need to talk
to TAC... (or try upgrading to SXF/SXH and see whether things will break
in different ways :-) ).

gert
--
USENET is *not* the non-clickable part of WWW!
//www.muc.de/~gert/
Gert Doering - Munich, Germany gert[at]greenie.muc.de
fax: +49-89-35655025 gert[at]net.informatik.tu-muenchen.de
_______________________________________________
cisco-nsp mailing list cisco-nsp[at]puck.nether.net
https://puck.nether.net/mailman/listinfo/cisco-nsp
archive at http://puck.nether.net/pipermail/cisco-nsp/

lf at elemental

Sep 12, 2007, 12:46 PM

Post #6 of 7 (246 views)
Permalink

Re: Troubling IPSec issues with a 6500 [In reply to]

Hi!

Quoting Pete S. (pshuleski[at]gmail.com):

> One issue we have had with ipsec is the adjust-mss command is not
> available on the 6500 until a later release. I have not checked up if
> it is in the latest SXF yet however. Until it is, You will need to
> clear the DF bit on all traffic exiting the tunnels which means more
> cpu required to re-assemble on the remote side.

Support for TCP MSS adjustment is in 12.2(33)SXH according to the
release notes. But there seems to be a bug related to TCP MSS
adjustment, too: CSCek66294.

Cheers,
Lars.
--
Lars Fenneberg, lf[at]elemental.net (private), lf[at]mcs.de (work)
Work legalese: MCS Moorbek Computer Systeme GmbH, Hamburg, Handelsregister Hamburg B62933, Geschaeftsfuehrer: Kai Brandes, Eckard Kabel
_______________________________________________
cisco-nsp mailing list cisco-nsp[at]puck.nether.net
https://puck.nether.net/mailman/listinfo/cisco-nsp
archive at http://puck.nether.net/pipermail/cisco-nsp/

lists at hojmark

Sep 12, 2007, 1:52 PM

Post #7 of 7 (259 views)
Permalink

Re: Troubling IPSec issues with a 6500 [In reply to]

> Interestingly enough, the same (exact, VLANs and all) setup
> is working between the 7200 and a 2600, with the only major
> difference I can see being the hardware platform and the IOS
> release.

IPSec on the 6500 is only supported for mangement traffic,
*unless* you have hardware assist for IPSec (the old IPSec
service module or the new SIP/SPA solution) *and* one of the
Advanced feature sets.

See http://tinyurl.com/ysxztz

-A

_______________________________________________
cisco-nsp mailing list cisco-nsp[at]puck.nether.net
https://puck.nether.net/mailman/listinfo/cisco-nsp
archive at http://puck.nether.net/pipermail/cisco-nsp/

Index | Next | Previous | View Threaded

Interested in having your list archived? Contact lists@gossamer-threads.com