Cisco monitor crypto engine?

Hi there,

I have a whole bunch of 2811s that I am sending almost 100% of our traffic through the onboard crypto engine. I have some sites with more bandwidth than others and I need to monitor the crypto engine to determine if its overloaded/dropping packets. I also have 7200s with SA-VAM2+ doing the same thing.

It would be great if this could be collected via snmp but the only way I have found is via the command "show crypto engine accelerator statistic"

show crypto engine accelerator statistic

</code></div><div class="line number3 index2 alt2"><code class="text plain">Device: NETGX

Location: Onboard: 0

</code><code class="text plain">:Statistics for encryption device since the last clear

</code><code class="text plain">of counters 3432641 seconds ago

</code><code class="text plain">808722334 packets in 808650062 packets out

</code><code class="text plain">368108617535 bytes in 367973730758 bytes out

</code><code class="text plain">235 paks/sec in 235 paks/sec out

</code><code class="text plain">857 Kbits/sec in 857 Kbits/sec out

</code><code class="text plain">389962806 packets decrypted 418687256 packets encrypted

</code><code class="text plain">127542676560 bytes before decrypt 240338168075 bytes encrypted

</code><code class="text plain">108835368258 bytes decrypted 259138362784 bytes after encrypt

</code><code class="text plain">0 packets decompressed 0 packets compressed

</code><code class="text plain">0 bytes before decomp 0 bytes before comp

</code><code class="text plain">0 bytes after decomp 0 bytes after comp

</code><code class="text plain">0 packets bypass decompr 0 packets bypass compres

</code><code class="text plain">0 bytes bypass decompres 0 bytes bypass compressi

</code><code class="text plain">0 packets not decompress 0 packets not compressed

</code><code class="text plain">0 bytes not decompressed 0 bytes not compressed

</code><code class="text plain">1.0:1 compression ratio 1.0:1 overall

</code><code class="text plain">Last 5 minutes:

</code><code class="text plain">158594 packets in 158506 packets out

</code><code class="text plain">528 paks/sec in 528 paks/sec out

</code><code class="text plain">1420127 bits/sec in 1422918 bits/sec out

</code><code class="text plain">18559180 bytes decrypted 29269415 bytes encrypted

</code><code class="text plain">501599 Kbits/sec decrypted 791065 Kbits/sec encrypted

</code><code class="text plain">1.0:1 compression ratio 1.0:1 overall

</code></div><div class="line number30 index29 alt1"><code class="text spaces"><strong>pkts dropped: 72272</strong>

</code><code class="text plain">fw_failure: 0 invalid_flow: 0 netgx sessions: 2

</code><code class="text plain">ownership_err: 0 null_data: 0 reqId mismatch: 0

</code><code class="text plain">fw_qs_filled: 0 fw_resource_lock:0

</code><code class="text plain">tx_hi_drops: 0 pak_too_big: 0

</code><code class="text plain">pak_mp_length_spec_fault: 0

</code><code class="text plain">Interrupts: Notify = 0, Reflected = 0, Spurious = 0

</code><code class="text plain">ring limit:64 current desc used: 0 current ring index: 34

</code><code class="text plain">wait session queue: 0 msg session buf queue: 1024

</code></div><div class="line number38 index37 alt1"><code class="text plain">

So I really want to see this somewhere that I can create an alert on it and add it to my dashboard.  Unfortunatly I dont think there is any easy way to determine the "Load" on the crypto engine.  From my understanding though if its dropping packets its overloaded.

Find more posts tagged with

network_monitoring

network_management

Accepted answers

All comments

JustinY

Anyone?

I need to monitor when packets are being dropped due to the crypto accelerator not being able to handle the traffic. This stat is not exposed via SNMP so I am going to need to poll via a script or something then compare it to the previous query to determine if there have been any additional packets lost. If so I have to trigger an alert.

This is the output of the command I need to monitor.
show cry engine acc statistic | i dropped
pkts dropped: 113701

The Universal Device Poller will not work because this is not accessible via SNMP.

Is there any other way to monitor this?

Thanks.

familyofcrowes

try this: Re: Can you write a report or a job based on Show Commands?

JustinY

Except that does not allow me to do real-time monitoring just a snapshot whenever its ran. It would be better to have real-time stats, history, alerts. As part of the NPM engine.

rstoney00

If that is the requirement, you may be trying to approach it in the wrong direction.

"Polling" - is used by most performance managers to collect stats and conditions. As you pointed out, this is 'at the time of the poll'

Common facility used to provide more "real-time" status for error conditions, which is what I would take you are looking for is handled better by traps.

You may wish to see if there are MIBs for trapping that condition (dropped packets) send them over to SolarWinds for processing. From there, you can set rules and then alerts to tell you when that dropped packet count changes, or goes above thresholds you set.

Your Cisco device can be set with filtering facility to only send traps of that particular OID or condition to SolarWinds, so you can avoid flooding it with other trap types.

Word of caution - do be sure to have 'trap clean up' rules as part of your rule-set on the trap engine. SolarWinds performance as a whole can suffer if the trap table gets too large.

It is a pretty large number, depending on how robust your SQL machine is, but clean-up is always a good idea.

Quick Links

All Categories
Recent Posts
Activity
Unanswered
Groups
Help
Best Of