This section describes the known limitations for IPSec Manager Support on Demux DPC2 cards.

• This feature is supported only for DPC2.

• This feature is applicable for ACL mode for IKEv1, IKEv2-v4, and IKEv2-v6.

• ipsec-on-demux CLI command does not work when Demux on MIO is enabled.

• Each IPSec manager will serve only eight Crypto maps.

• Maximum IPSec managers supported per CPU is one, and maximum of three at card level for IKEv1 and IKEv2 separately.

• If more than 24 active Crypto maps are configured, then the fourth IPSec manager and subsequent IPSec managers are spawned on the non-Demux DPC2 card. New IPSec manager handles original number of Crypto maps (that is, 150).

• If a new Crypto map without the CLI is configured, then it spawns or reuse IPSec managers present on a non-Demux DPC2 card. New IPSec manager does not reuse or spawn IPSec managers already running on the demux card.

• If a new Crypto map with the CLI is configured, then it will spawn or re-use IPSec managers present on the Demux DPC2 card. It does not reuse or spawn IPSec managers already running on the non Demux card.

• When the limit of 24 Crypto maps that is configured is exceeded, then the subsequent new Crypto map (whether configured or not) is served by IPSec managers present in the Demux DPC2 cards.

• If any of the Crypto maps with CLI that are served by IPSec managers in Demux is removed and then any new or same map is added with CLI again, it will serve the IPSec manager in Demux.

• When the context is removed, IPSec managers are also removed. This creates room for new crypto maps with CLI and IPSec managers with the limit of 24 maps and 3 IPSec managers on demux card.

• Only one IPSec manager is spawned in each core of the Demux Card, due to this maximum of three IPSec manager are spawned in Demux DPC2 card.

• Each IPSec manager running on Demux card serve as a maximum of eight active Crypto maps.

• Demux on MIO card is not supported.

• To spawn IPSec managers on Demux, ipsec-on-demux must be configured before associating it with the interface.

• Every new context spawns new IPSec manager if a new Crypto Map is added under it. If there are 3 contexts, then individual contexts must not have more than 8 Crypto maps to utilize optimum resources. If an individual context have more than 8 Crypto maps then not all the 24 Crypto maps will serve by IPSec managers running on Demux card.

• IKEv1 and IKEv2 spawn IPSec managers independently, IPSec managers share the same resources if it is used in combination. Therefore it is recommended to use either IKEv1 or IKEv2 for Demux card.

• The CLI is visible in DPC1 platform, but it is not be supported.

• Because each Crypto group spawns two IPSec managers as peers are different in primary and secondary IKEv1 maps, only 8 sets of Crypto groups are allowed.

• Not more than eight Crypto maps can be used with same SRC and DST IP address, as they are served by the same IPSec manager and each IPSec manager on demux has limitation of 8 Crypto maps.

Use the following configuration to enable spawning of IPSec manager for a Crypto map on the Demux Card.

Important

It is mandatory to configure require demux processing-card and require session recovery commands before configuring ipsec-on-demux command.

configure  
    context context_name 
        crypto map  policy_name ipsec-ikev1 
            ipsec-on-demux  
            end 

NOTES:

• no : Disables the spawning of IPSec manager for Crypto map on Demux Card.

  Important

  If the configuration is removed using no ipsec-on-demux option, then this Crypto map must be removed and added again for this configuration to work.

• ipsec-on-demux : Enables the spawning of IPSec manager for a Crypto map on Demux Card.

show crypto managers ipsec_manager_instance

The output of this command includes the "Demux Card" field.