Guest

Preview Tool

Cisco Bug: CSCsz38577 - SPA sVTI flap- decrypted buffer pad values incorrect - decryption errors

Last Modified

Feb 22, 2014

Products (1)

  • Cisco Catalyst 6000 Series Switches

Known Affected Releases

12.2(33)SRD1

Description (partial)

Symptom:

sVTI tunnel flaps. point to point sVTI setup, identical HW and SW on both peers.
12.2(33)SRD1 and IPSec SPA 2G

 We see continuously increasing values for the following IPSec SPA Crypto Processor indicator : "Decrypted buffer pad values incorrect". 

The above Crypto Processor error indicates that during post-decryption the ESP pad has been found   as incorrect.

Through troubleshooting we established that these CP errors are the cause and
trigger for decryption errors reported in the IPSEC SA stats and we observed that consequently they are the cause for the sVTI tunnel flaps.

We see these CP errors and decryption errors only on one peer or a point to point sVTI setup.



Conditions:

- AES128
-  path mtu discovery enabled on sVTI tunnel.
- also when manually setting the  ip mtu on the tunnel
Bug details contain sensitive information and therefore require a Cisco.com account to be viewed.

Bug Details Include

  • Full Description (including symptoms, conditions and workarounds)
  • Status
  • Severity
  • Known Fixed Releases
  • Related Community Discussions
  • Number of Related Support Cases
Bug information is viewable for customers and partners who have a service contract. Registered users can view up to 200 bugs per month without a service contract.