Cisco 3925 Troubleshooting – HW State: DEAD

ciscohardwaretroubleshootingvpn

I received an alert stating that a crypto engine was 'dead'. I did a bit of digging and was able to find some output to validate this:

#sh crypto eng config


    crypto engine name:  Virtual Private Network (VPN) Module
    crypto engine type:  hardware
                 State:  Enabled
              Location:  onboard 0
          Product Name:  Onboard-VPN
            FW Version:  1
          Time running:  2868294 seconds
           Compression:  Yes
                   DES:  Yes
                 3 DES:  Yes
               AES CBC:  Yes (128,192,256)
              AES CNTR:  No
 Maximum buffer length:  4096
      Maximum DH index:  0000
      Maximum SA index:  0000
    Maximum Flow index:  8000
  Maximum RSA key size:  0000

    crypto engine name:  Virtual Private Network (VPN) Module
    crypto engine type:  hardware
                 State:  Disabled
              Location:  slot 0
          Product Name:  ISM VPN Accelerator
          UBOOT Ver   : U-Boot 1.1.1 - ISRG2-Crypto-Engine - Version 2.7 (Build time: Mar  7 2011 - 09:12:23)
          Firmware Ver:   User: ssafari - View/Label: REVENTON_FW_COMMIT_IOS_12022013 - Date: Dec  2 2013 - Time: 16:18:14 

          HW State    : DEAD

           Compression:  No
                   DES:  Yes
                 3 DES:  Yes
               AES CBC:  Yes (128,192,256)
              AES CNTR:  No
 Maximum buffer length:  4096
      Maximum DH index:  5120
      Maximum SA index:  5120
    Maximum Flow index:  10230
  Maximum RSA key size:  2048

    crypto lib version:  22_421.0.0

    crypto lib version:  22_421.0.0

I'm unfamiliar with what this output is saying. Is the VPN Module like a line card that is plugged into the router and can be replaced? Does the HW State: DEAD mean the card is bad and needs to be replaced? What are some other show commands I can use to validate what this output is implying?

Best Answer

Yes, the VPN module is a linecard that's plugged into the router and can be replaced.

A 'DEAD' hardware state simply means the router has lost communication with the ISM. This does not actually mean the hardware is dead, as a variety of issues in the field have caused this for me: Cards that somehow get unseated, incompatibilities with IOS and the card's firmware, etc. The first issue usually has different evidence, though.

You can try to reload the router, but the best bet would be to engage Cisco's TAC to identify whether it is a backplane problem on the router or a problem with the module itself.

The fact that the show crypto engine config command still returns results about the card is an indicator that the card itself may be OK and has just crashed, but the HW state 'DEAD' doesn't mean the hardware is gone forever (though it could indicate a hardware problem such as memory corruption, electrical failure, etc). Cisco bug CSCtz51773 may be relevant here, find a release that has a fix for this bug and try it out to see if it works for you.

Related Topic