I received an alert stating that a crypto engine was 'dead'. I did a bit of digging and was able to find some output to validate this:
#sh crypto eng config
crypto engine name: Virtual Private Network (VPN) Module
crypto engine type: hardware
State: Enabled
Location: onboard 0
Product Name: Onboard-VPN
FW Version: 1
Time running: 2868294 seconds
Compression: Yes
DES: Yes
3 DES: Yes
AES CBC: Yes (128,192,256)
AES CNTR: No
Maximum buffer length: 4096
Maximum DH index: 0000
Maximum SA index: 0000
Maximum Flow index: 8000
Maximum RSA key size: 0000
crypto engine name: Virtual Private Network (VPN) Module
crypto engine type: hardware
State: Disabled
Location: slot 0
Product Name: ISM VPN Accelerator
UBOOT Ver : U-Boot 1.1.1 - ISRG2-Crypto-Engine - Version 2.7 (Build time: Mar 7 2011 - 09:12:23)
Firmware Ver: User: ssafari - View/Label: REVENTON_FW_COMMIT_IOS_12022013 - Date: Dec 2 2013 - Time: 16:18:14
HW State : DEAD
Compression: No
DES: Yes
3 DES: Yes
AES CBC: Yes (128,192,256)
AES CNTR: No
Maximum buffer length: 4096
Maximum DH index: 5120
Maximum SA index: 5120
Maximum Flow index: 10230
Maximum RSA key size: 2048
crypto lib version: 22_421.0.0
crypto lib version: 22_421.0.0
I'm unfamiliar with what this output is saying. Is the VPN Module like a line card that is plugged into the router and can be replaced? Does the HW State: DEAD mean the card is bad and needs to be replaced? What are some other show commands I can use to validate what this output is implying?
Best Answer
Yes, the VPN module is a linecard that's plugged into the router and can be replaced.
A 'DEAD' hardware state simply means the router has lost communication with the ISM. This does not actually mean the hardware is dead, as a variety of issues in the field have caused this for me: Cards that somehow get unseated, incompatibilities with IOS and the card's firmware, etc. The first issue usually has different evidence, though.
You can try to reload the router, but the best bet would be to engage Cisco's TAC to identify whether it is a backplane problem on the router or a problem with the module itself.
The fact that the
show crypto engine config
command still returns results about the card is an indicator that the card itself may be OK and has just crashed, but the HW state 'DEAD' doesn't mean the hardware is gone forever (though it could indicate a hardware problem such as memory corruption, electrical failure, etc). Cisco bug CSCtz51773 may be relevant here, find a release that has a fix for this bug and try it out to see if it works for you.