Guest

Preview Tool

Cisco Bug: CSCup34371 - GETVPN GM stops decrypting traffic after TEK rekey

Last Modified

Dec 06, 2019

Products (102)

  • Cisco IOS
  • Cisco C897VA Integrated Services Router
  • Cisco C892FSP Integrated Services Router
  • Cisco 1905 Serial Integrated Services Router
  • Cisco 819 Hardened Integrated Services Router
  • Cisco 881SRSTW Integrated Services Router
  • Cisco 886VA-CUBE Integrated Services Router
  • Cisco 892W Integrated Services Router
  • Cisco 888W Integrated Services Router
  • Cisco 2951 Integrated Services Router
View all products in Bug Search Tool Login Required

Known Affected Releases

15.2(4)M 15.2(4)M4.4 15.2(4)M6 15.3(0.5)T 15.4(2)T1

Description (partial)

Symptom:
GETVPN GM stops decrytping traffic after TEK rekey (1-2/day for 7200s TEK lifetime)

Conditions:
Several conditions need to be satisfied for this issue to be seen. The crypto map must shared (example several interfaces with same crypto map sourced from the same interface), the old and new SPI during rekey have a hash collision on the higher 4 bits and in addition the interface of the incoming packet has an address that is higher than the one stored in the SA since the crypto map is shared.
Bug details contain sensitive information and therefore require a Cisco.com account to be viewed.

Bug Details Include

  • Full Description (including symptoms, conditions and workarounds)
  • Status
  • Severity
  • Known Fixed Releases
  • Related Community Discussions
  • Number of Related Support Cases
Bug information is viewable for customers and partners who have a service contract. Registered users can view up to 200 bugs per month without a service contract.