Guest

Preview Tool

Cisco Bug: CSCuq10053 - GETVPN when IPV6 acl exceeds 100 entries GM fails to register at rekey

Last Modified

Jan 30, 2017

Products (1)

  • Cisco IOS

Known Affected Releases

15.3(0.1)

Description (partial)

Symptom:
When the crypto acl on the KS exceeds 100 entries and we issue the 'crypto gdoi ks rekey' command the KS creates a new TEK policy and sends a rekey but the GM still uses the old policy and traffic flows
encrypted until the old policy expires. After that the GM fails to re-register or install any further KS policies until we remove the extra acl entries on the KS and keep the list below 100 entries.

If we do the same for ipv4 cypto acl we see that the ASR receives and installs correctly the new TEK and old one with shorten life time.

GM shows the following error message:
Jul 24 08:56:44.172: GDOI:GM INFRA:ERR:(36794:65300):Couldn't match SPI in KD TEK mid is 0; spi size is 4; spi  is 0x23FDC230
Jul 24 08:56:44.172: %GDOI-3-GDOI_REKEY_FAILURE: Processing of REKEY payloads failed on GM y.y.y.y in the group IPV6-GROUP-NAME, with peer at x.x.x.x
Jul 24 08:56:44.172: %CRYPTO-6-IKMP_MODE_FAILURE: Processing of GDOI mode failed with peer at x.x.x.x

Conditions:
The KS crypto ipv6 acl has to exceed 100 entries.
Bug details contain sensitive information and therefore require a Cisco.com account to be viewed.

Bug Details Include

  • Full Description (including symptoms, conditions and workarounds)
  • Status
  • Severity
  • Known Fixed Releases
  • Related Community Discussions
  • Number of Related Support Cases
Bug information is viewable for customers and partners who have a service contract. Registered users can view up to 200 bugs per month without a service contract.