BugZero | Cisco BugID CSCwa76962 - Overruns and performance issues observed with cryp...

Cisco - Defect ID: CSCwa76962

Overruns and performance issues observed with crypto configuration enabled on C8500L

Cisco - Defect ID: CSCwa76962

Overruns and performance issues observed with crypto configuration enabled on C8500L

Last updated on September 29th, 2025

BugZero Risk Score
7.8 High

Overall: 7.8

Severity: 8.2

Lifecycle: 9.1

Popularity: 4.6

What is the BugZero Risk Score?

Cisco Integration

Learn more about where this data comes from

Cisco Integration

Learn more

Bug Scrub Advisor

Streamline upgrades with automated vendor bug scrubs

Bug Scrub Advisor

Learn more

BugZero Enterprise

Wish you caught this bug sooner? Get proactive today.

BugZero Enterprise

Learn more

Bug Details

Views: 6

Description

Symptom

Overruns and performance issues observed with crypto configuration enabled on C8500L-8S4X. The throughput degrades over time due to a resource leaks impacting packet reception on some active interfaces. If flow control has been negotiated with devices connected to GigE or TenGigE interfaces, a pause frame generation will be high coming from the C8500L-8S4X. Please observe below an interface affected by this problem: #show int te0/1/0 TenGigabitEthernet0/1/0 is up, line protocol is up 20875 input errors, 0 CRC, 0 frame, 20875 overrun, 0 ignored 0 lost carrier, 0 no carrier, 803 pause output interface TenGigabitEthernet0/1/0 ip address X.X.X.X X.X.X.X interface Tunnel1 ip address X.X.X.X X.X.X.X tunnel source tunnel mode gre multipoint tunnel protection ipsec profile PROFILE-NAME In the example above, the physical outbound interface for Tunnel1 is TenGigabitEthernet0/1/0. IPSEC is enabled under the Tunnel. For further isolation, please follow-up the steps below: Identify the FPE value for the affected interface, in this scenario Te0/1/0 #show platform hardware qfp active data infra bind Port Instance Bindings: ID Port IOS Port WRKR12 WRKR13 1 rcl0 rcl0 Rx Tx 2 ipc ipc Rx+Tx - 3 vxe_punti vxe_puntif Rx+Tx - 4 fpe0 GigabitEthernet0/0/0 Rx+Tx - 5 fpe1 GigabitEthernet0/0/1 Rx+Tx - 6 fpe2 GigabitEthernet0/0/2 - Rx+Tx 7 fpe3 GigabitEthernet0/0/3 Rx+Tx - 8 fpe4 GigabitEthernet0/0/4 - Rx+Tx 9 fpe5 GigabitEthernet0/0/5 Rx+Tx - 10 fpe6 GigabitEthernet0/0/6 - Rx+Tx 11 fpe7 GigabitEthernet0/0/7 Rx+Tx - 12 fpe8 TenGigabitEthernet0/1/0 - Rx+Tx 13 fpe9 TenGigabitEthernet0/1/1 Rx+Tx - 14 fpe10 TenGigabitEthernet0/1/2 - Rx+Tx 15 fpe11 TenGigabitEthernet0/1/3 Rx+Tx - Recollect the data plane PPE Usage, looking at the column "Credits Usage". In this example the interested line for the affected interface is FPE8: ROUTER#show platform hardware qfp active datapath infrastructure sw-cio Credits Usage: ID Port Wght Global WRKR0 WRKR1 WRKR2 WRKR3 WRKR4 WRKR5 WRKR6 WRKR7 WRKR8 WRKR9 WRKR10 WRKR11 WRKR12 WRKR13 WRKR14 WRKR15 Total 1 rcl0 1: 6048 0 0 0 0 0 0 0 0 0 0 0 0 96 0 0 0 6144 1 rcl0 128: 6048 0 0 0 0 0 0 0 0 0 0 0 0 96 0 0 0 6144 2 ipc 1: 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 3 vxe_punti 1: 461 0 0 0 0 0 0 0 0 0 0 0 0 51 0 0 0 512 4 fpe0 1: 1952 0 0 0 0 0 0 0 0 0 0 0 0 96 0 0 0 2048 4 fpe0 2: 1952 0 0 0 0 0 0 0 0 0 0 0 0 96 0 0 0 2048 5 fpe1 1: 1952 0 0 0 0 0 0 0 0 0 0 0 0 96 0 0 0 2048 5 fpe1 2: 1952 0 0 0 0 0 0 0 0 0 0 0 0 96 0 0 0 2048 6 fpe2 1: 1952 0 0 0 0 0 0 0 0 0 0 0 0 0 96 0 0 2048 6 fpe2 2: 1952 0 0 0 0 0 0 0 0 0 0 0 0 0 96 0 0 2048 7 fpe3 1: 1952 0 0 0 0 0 0 0 0 0 0 0 0 96 0 0 0 2048 7 fpe3 2: 1952 0 0 0 0 0 0 0 0 0 0 0 0 96 0 0 0 2048 8 fpe4 1: 1952 0 0 0 0 0 0 0 0 0 0 0 0 0 96 0 0 2048 8 fpe4 2: 1952 0 0 0 0 0 0 0 0 0 0 0 0 0 96 0 0 2048 9 fpe5 1: 1952 0 0 0 0 0 0 0 0 0 0 0 0 96 0 0 0 2048 9 fpe5 2: 1952 0 0 0 0 0 0 0 0 0 0 0 0 96 0 0 0 2048 10 fpe6 1: 1952 0 0 0 0 0 0 0 0 0 0 0 0 0 96 0 0 2048 10 fpe6 2: 1952 0 0 0 0 0 0 0 0 0 0 0 0 0 96 0 0 2048 11 fpe7 1: 1952 0 0 0 0 0 0 0 0 0 0 0 0 96 0 0 0 2048 11 fpe7 2: 1952 0 0 0 0 0 0 0 0 0 0 0 0 96 0 0 0 2048 12 fpe8 1: 0 0 0 0 0 0 0 0 0 0 0 0 0 3 57 0 0 60 <------------ should be close 2048 12 fpe8 2: 1952 0 0 0 0 0 0 0 0 0 0 0 0 0 96 0 0 2048 13 fpe9 1: 1179 0 0 0 0 0 0 0 0 0 0 0 0 86 16 0 0 1281 13 fpe9 2: 1952 0 0 0 0 0 0 0 0 0 0 0 0 96 0 0 0 2048 14 fpe10 1: 1155 0 0 0 0 0 0 0 0 0 0 0 0 0 112 0 0 1267 14 fpe10 2: 1952 0 0 0 0 0 0 0 0 0 0 0 0 0 96 0 0 2048 15 fpe11 1: 1952 0 0 0 0 0 0 0 0 0 0 0 0 96 0 0 0 2048 15 fpe11 2: 1952 0 0 0 0 0 0 0 0 0 0 0 0 96 0 0 0 2048 This is an evidence of leaked credits, at idle (no traffic). Under traffic it is expected that this command shows low values, but at idle we would expect the credit values to return to their original count prior to traffic and subsequent loss.

Conditions

This issue will occur on C8500L-8S4X platform configured with crypto during periods of increased loads.

Workaround

The router must be rebooted to recover the lost resources. The reboot can be delayed by moving connections to the ports generating pause frames to previously unused ports, however, the problem might be observed after some time. For a permanent solution, the router software must be upgraded to resolve the issue to 17.6.3.

Further Problem Description

This loss of packets leads to interface credits being lost, resulting in less packets being processed and decreased performance. The loss of credits can be observed using the IOS exec command `show platform hardware qfp active datapath infrastructure sw-cio` at idle (no traffic). Under traffic it is expected that this command shows low values, but at idle we would expect the credit values to return to their original count prior to traffic and subsequent loss.

Relevant Products

Click on a version to see all relevant bugs

Affected versions:No known affected versions

Fixed versions: 17.10.1, 17.10.1a, 17.10.1b, 17.11.1, 17.11.1a, 17.12.02a, 17.12.1, 17.12.1w, 17.12.1x, 17.12.1y, 17.12.1z, 17.12.1z1, 17.12.1z2, 17.12.2, 17.12.2a, 17.12.3, 17.12.3a, 17.12.4, 17.12.4a, 17.13.1, 17.13.1a, 17.14.1, 17.14.1a, 17.15.1, 17.15.1a, 17.15.1b, 17.15.1w, 17.15.1x, 17.15.2, 17.15.2b, 17.15.2c, 17.16.1, 17.16.1a, 17.6.3, 17.6.3a, 17.6.4, 17.6.5, 17.6.5a, 17.6.6, 17.6.6a, 17.6.7, 17.6.8, 17.6.8a, 17.7.2, 17.8.1, 17.8.1a, 17.9.1, 17.9.1a, 17.9.1w, 17.9.1x, 17.9.1x1, 17.9.1y, 17.9.1y1, 17.9.2, 17.9.2a, 17.9.3, 17.9.3a, 17.9.4, 17.9.4a, 17.9.5, 17.9.5a, 17.9.5b, 17.9.5c, 17.9.5d, 17.9.5e, 17.9.6, 17.9.6a, 17.9.6b

Relevant Products

Click on a version to see all relevant bugs

Affected versions:No known affected versions

Top Cisco Defects

9.8Defect ID: CSCwt50498
Cisco Catalyst SD-WAN Controller Authentication Bypass Vulnerability
9.7Defect ID: CSCvx32806
Access Points stuck in bootloop due to image checksum verification failed
9.7Defect ID: CSCws52722
Cisco Catalyst SD-WAN Controller Authentication Bypass Vulnerability
9.7Defect ID: CSCvw95683
Catalyst 1000 Switch may exhibit random Crash/Hang/Silent-Reload.
9.7Defect ID: CSCvz07394
2960X Stack may observe hang/freeze of member switches or complete stack.

Ready to prevent the next vendor outage?

Get a demo

Cisco - Defect ID: CSCwa76962

Overruns and performance issues observed with crypto configuration enabled on C8500L

Cisco - Defect ID: CSCwa76962

Overruns and performance issues observed with crypto configuration enabled on C8500L

Last updated on September 29th, 2025

BugZero Risk Score7.8 High

Bug Details

Symptom

Conditions

Workaround

Further Problem Description

Top Cisco Defects

Ready to prevent the next vendor outage?

Links

BugZero Risk Score
7.8 High