Guest

Preview Tool

Cisco Bug: CSCun44329 - DMVPN IPsec lifetime 120 sec cause memory corruption and all tunnel down

Last Modified

Jan 29, 2017

Products (87)

  • Cisco IOS
  • Cisco 886VA-CUBE Integrated Services Router
  • Cisco 881SRSTW Integrated Services Router
  • Cisco C892FSP Integrated Services Router
  • Cisco 861W Integrated Services Router
  • Cisco 886VAG 3G Integrated Services Router
  • Cisco 892W Integrated Services Router
  • Cisco 819 Hardened Integrated Services Router
  • Cisco 812 CiFi Integrated Services Router
  • Cisco 888W Integrated Services Router
View all products in Bug Search Tool Login Required

Known Affected Releases

15.2(4)M2

Description (partial)

Symptom:
Short IPsec lifetime = 120 seconds can cause all IPsec tunnels going down on the DMVPN hub.

When the problem occurs, all IPsec tunnels are down.  

All IKE tunnels are bouncing between up and down state every minute.  Usually, all IKE Phase I negotiations are getting complete, but Phase II negotiations never complete.  

IKE debugs show Phase II retransmits and sometimes Phase I retransmits.

Also the router may become unresponsive, and other symptoms of memory leaks/corruption may be seen.

Memory taken by "CRYPTO IKMP" process may grow to 60-70 MB before the issue happens (but not always).

Router may crash, MALLOC errors and various memory-related tracebacks may be seen before the crash. 

Tunnels can be recovered only by rebooting the DMVPN hub router.

Average time from hub reboot to issue re-occurrence is 2-3 weeks.

If there are two hubs, issue occurs on both, but not in the same time.

Conditions:
- IPsec lifetime 120 seconds is configured on DMVPN hub or DMVPN spokes (the lowest value will be used)

- Multiple DMVPN spokes are present
Bug details contain sensitive information and therefore require a Cisco.com account to be viewed.

Bug Details Include

  • Full Description (including symptoms, conditions and workarounds)
  • Status
  • Severity
  • Known Fixed Releases
  • Related Community Discussions
  • Number of Related Support Cases
Bug information is viewable for customers and partners who have a service contract. Registered users can view up to 200 bugs per month without a service contract.