Crypto Engines have to be identical. Crypto Engines have to be the AIM modules HPII+ or EPII+, onboard is not supported. I would suspect the SSL modules are supported now as well.
http://www.cisco.com/en/US/products/ps6350/products_configuration_guide_chap ter09186a0080455b64.html#wp1043332 David -- http://dcp.dcptech.com > -----Original Message----- > From: [EMAIL PROTECTED] > [mailto:[EMAIL PROTECTED] On Behalf Of Joann Deng > Sent: Monday, June 18, 2007 2:37 PM > To: Rodney Dunn > Cc: [email protected] > Subject: Re: [c-nsp] Disable cryptographic hardware on Cisco 3845 > > I am configuring stateful failover for IPSec on rtp03 and > rtp04, but got the following error message, then I wondered > if I can disable the crypto hardware. > > rtp03# > *Jun 18 00:35:37.574: > %CRYPTO_HA_IPSEC-4-CRYPTO_HA_NOT_SUPPORTED_BY_HW: > Crypto hardware is enabled and it does not support HA > operation 'IPSec - extract keys' > vzsjcnrtp03# > > rtp04# > *Jun 18 00:42:28.026: > %CRYPTO_HA_IKE-4-CRYPTO_HA_NOT_SUPPORTED_BY_HW: Crypto > hardware is enabled and it does not support HA operation 'IKE > - manual SA create' > *Jun 18 00:42:28.026: %CRYPTO_HA_IKE-3-FAILOVER_ERROR: > Attempt to failover IKE SA > (209.114.76.195:160.33.128.84) failed due to crypto engine > does not support HA. No stateful failover available for this SA. > vzsjcnrtp04# > > --- Rodney Dunn <[EMAIL PROTECTED]> wrote: > > > Why do you want to turn it off? > > > > We do no recommend that at all becuase the performance is so much > > slower in the software path. > > > > Please don't do it unless you are simply trying to narrow > down a bug. > > > > Rodney > > > > > > <snip> > > 3800-1#sh ver | incl IOS > > Cisco IOS Software, 3800 Software > > (C3845-ADVIPSERVICESK9-M), Version 12.4(8), RELEASE SOFTWARE (fc1) > > 3800-1#config t Enter configuration commands, one per line. > End with > > CNTL/Z. > > 3800-1(config)#no crypto engin acc > > ...switching to SW crypto engine > > 3800-1(config)# > > *Jun 18 18:23:00.418: %VPN_HW-6-INFO_LOC: Crypto > > engine: onboard 0 State changed to: Disabled > > 3800-1(config)# crypto engin acc > > ...switching to HW crypto engine > > 3800-1(config)# > > *Jun 18 18:23:07.694: %VPN_HW-6-INFO_LOC: Crypto > > engine: onboard 0 State changed to: Enabled 3800-1(config)# </snip> > > > > On Mon, Jun 18, 2007 at 09:43:57AM -0700, Joann Deng > > wrote: > > > Hi group, > > > > > > Anybody knows how to disable cryptographic > > hardware on > > > Cisco 3845? As depending on configuration, either > > the > > > internal Safenet chip or the IOS software is used for > cryptographic > > > operations on Cisco 3845, > > and > > > I'd like to use IOS instead of the hardware. > > > > > > Thanks in advance, > > > > > > Joann > > > > > > > > > > > > > > > ______________________________________________________________ > ______________________ > > > Got a little couch potato? > > > Check out fun summer activities for kids. > > > > > > http://search.yahoo.com/search?fr=oni_on_mail&p=summer+activit > ies+for+kids&cs=bz > > > > > _______________________________________________ > > > cisco-nsp mailing list [email protected] > > > https://puck.nether.net/mailman/listinfo/cisco-nsp > > > archive at > > http://puck.nether.net/pipermail/cisco-nsp/ > > > > > > > ______________________________________________________________ > ______________________ > Take the Internet to Go: Yahoo!Go puts the Internet in your > pocket: mail, news, photos & more. > http://mobile.yahoo.com/go?refer=1GNXIC > _______________________________________________ > cisco-nsp mailing list [email protected] > https://puck.nether.net/mailman/listinfo/cisco-nsp > archive at http://puck.nether.net/pipermail/cisco-nsp/ > _______________________________________________ cisco-nsp mailing list [email protected] https://puck.nether.net/mailman/listinfo/cisco-nsp archive at http://puck.nether.net/pipermail/cisco-nsp/
