Guest

Cisco IOS Software Releases 12.2 SX

Field Notice: FN - 63206 - Configuring crypto maps in Crypto Connect Mode on 12.2(33)SXH4 based release can cause a sustained increase in CPU utilization

Hierarchical Navigation

Revised March 23, 2009

March 23, 2009

NOTICE:

THIS FIELD NOTICE IS PROVIDED ON AN "AS IS" BASIS AND DOES NOT IMPLY ANY KIND OF GUARANTEE OR WARRANTY, INCLUDING THE WARRANTY OF MERCHANTABILITY. YOUR USE OF THE INFORMATION ON THE FIELD NOTICE OR MATERIALS LINKED FROM THE FIELD NOTICE IS AT YOUR OWN RISK. CISCO RESERVES THE RIGHT TO CHANGE OR UPDATE THIS FIELD NOTICE AT ANY TIME.

Revision History

Revision Date Comment
1.1
23-Mar-2009
Updated configuration examples in background section
1.0
23-Mar-2009
Initial Public Release

Products Affected

Products Affected
All 6500 Chassis' - VPN-SPA

Problem Description

When you run Cisco IOS Software Release 12.2(33)SXH4 and configure crypto maps in Crypto Connect Mode, there is a chance for sustained high CPU.

Background

When you run Cisco IOS Software Release 12.2(33)SXH4 and configure crypto maps in Crypto Connect Mode, some packets are software switched on the RP and can cause sustained high CPU on the 6500.

Configuration examples that can cause the problem:

Example 1:
Dynamic CM with ACL in Crypto Connect Mode

crypto dynamic-map test 10
   set transform-set tset
   match address 101
crypto map test_dcm 1 ipsec-isakmp dynamic test
!
access-list 101 permit ip <network_1> <netmask> <network_2> <netmask>

Example 2:
Static CM in Crypto Connect Mode

crypto map ipsecmap 1 ipsec-isakmp 
  set peer x.x.x.x 
  set transform-set ts 
  match address 110 
 
access-list 110 permit ip <network_1> <netmask> <network_2> <netmask>

Problem Symptoms

Possible high CPU can occur when you use crypto maps with Crypto Connect Mode in Cisco IOS Software Release 12.2(33)SXH4.

Workaround/Solution

There are three work arounds at this time:

  • Use a non 12.2(33)SXH4 based image, such as Cisco IOS Software Release 12.2(33)SXH3a. This defect does not manifest itself in a non 12.2(33)SXH4 code base.
  • Use crypto maps in VRF Mode, if possible.
  • Use a dynamic crypto map without an explict ACL instead.

DDTS

To follow the bug ID link below and see detailed bug information, you must be a registered customer and you must be logged in.

DDTS Description
CSCek77996 (registered customers only) Integrated in: 12.2(32.08.11)XID112.3 12.2(32.08.11)XJC153.1 12.2(33)SXI 12.2(33.04.19)SXH

For More Information

If you require further assistance, or if you have any further questions about this field notice, contact the Cisco Systems Technical Assistance Center (TAC) by one of these methods:

Receive Email Notification For New Field Notices

Product Alert Tool - Set up a profile to receive email updates about reliability, safety, network security, and end-of-sale issues for the Cisco products you specify.