Cisco 881G firmware update

Question

Please help me to resolve an issue with Cisco881G device.

My company bought Cisco881G. From the box we have npe firmware: c880data-universalk9_npe-mz.152-3.T1.bin It's know that this firmware doesn't work with encryption. I tried to update firmware to c880data-universalk9-mz.152-3.T1.bin You can see this is the same firmware, but without npe. After update I reboot device and facing the problem. Device can't start up correctly and create file crashinfo_20130902-140731-UTC. I tried other firmwares but the result is the same. In file crashinfo we can see:

*Jan  2 00:00:02.811: %LICENSE-6-EULA_ACCEPT_ALL: The Right to Use End User License Agreement is accepted
*Jan  2 00:00:02.847: %IOS_LICENSE_IMAGE_APPLICATION-6-LICENSE_LEVEL: Module name = c880-data Next reboot level = advsecurity and License = No valid license found
*Sep  2 14:07:30.055: %IFMGR-7-NO_IFINDEX_FILE: Unable to open nvram:/ifIndex-table No such file or directory
*Sep  2 14:07:30.163: %VPN_HW-6-INFO_LOC: Crypto engine: onboard 0  State changed to: Initialized 

*Sep  2 14:07:30.283: %VPN_HW-6-INFO_LOC: Crypto engine: onboard 0  State changed to: Enabled 
*Sep  2 14:07:30.311: SEC_POST: AES-192 decryption output mismatch!
*Sep  2 14:07:30.311: SEC_POST: POST Test for AES-192 Failed
*Sep  2 14:07:30.311: %VPN_HW-0-SELF_TEST_FAILURE: Hardware Crypto self-test failed (SEC2.0 POST(Power-On-Self-Test) Failed!)
*Sep  2 14:07:31.435: %SYS-3-LOGGER_FLUSHED: System was paused for 00:00:01 to ensure console debugging output.

Please help me to understand why I have the problem and what does this message mean. Thanks in advance for your help.

Answer 1

It means the onboard encryption engine is damaged/malfunctioning/disabled and doesn't return the power up test results as it should. It could be the router was built for sale in an area that doesn't allow payload encryption and it was physically disabled by Cisco during manufacturing or the chip is just broke and the reseller loaded it without encryption to get it to pass POST on boot up.

See the Cisco documentation here:

http://www.cisco.com/en/US/prod/collateral/iosswrel/ps8802/ps5460/product_bulletin_c25-566278_ps10537_Products_Bulletin.html

1. Universal images with the universalk9_npe" designation in the image name: The strong enforcement of encryption capabilities provided by Cisco Software Activation satisfies requirements for the export of encryption capabilities. However, some countries have import requirements that require that the platform does not support any strong crypto functionality such as payload cryptography. To satisfy the import requirements of those countries, the `npe' universal image does not support any strong payload encryption. This image supports security features like Zone-Based Firewall, Intrusion Prevention through SECNPE-K9 license.

IOS 15 uses the CSA to inhibit export of munitions grade crypto packages, but there may be a jumper or switch on the motherboard to disable the onboard crypto co-processor.

Also double check the SHA of the firmware it shipped with compared to firmware available from Cisco; the device may be counterfeit.