Guest

Preview Tool

Cisco Bug: CSCuo98509 - GETVPN Not Properly Encrypting Fragmented Traffic using Transport Mode

Last Modified

Feb 28, 2018

Products (1)

  • Cisco IOS

Known Affected Releases

15.4(1.3)S

Description (partial)

Symptom:
If a GETVPN Group Member receives and encrypts IP fragments, the fragments are not encrypted properly before being routed across the GETVPN transport network. Due to IP header preservation, when encryption is applied the original fragment offset and "more fragments" flag are copied into the ESP header. This leads to the receiving GM dropping the fragments as the ESP data does not align with the fragment offset. Receiving GM throws following error:

%IOSXE-3-PLATFORM: SIP0: cpp_cp: QFP:0.0 Thread:019 TS:00000000185993173616 %IPSEC-3-FRAG_ERROR: IPSec SA received fragmented ESP packet, DP Handle 4, src_addr 11.11.11.1, dest_addr 22.22.22.1, SPI (0x17911289)

Conditions:
-Encrypt fragmented traffic using GETVPN
Bug details contain sensitive information and therefore require a Cisco.com account to be viewed.

Bug Details Include

  • Full Description (including symptoms, conditions and workarounds)
  • Status
  • Severity
  • Known Fixed Releases
  • Related Community Discussions
  • Number of Related Support Cases
Bug information is viewable for customers and partners who have a service contract. Registered users can view up to 200 bugs per month without a service contract.