Cisco Bug: CSCuq10053 - GETVPN when IPV6 acl exceeds 100 entries GM fails to register at rekey
Jan 30, 2017
- Cisco IOS
Known Affected Releases
Symptom: When the crypto acl on the KS exceeds 100 entries and we issue the 'crypto gdoi ks rekey' command the KS creates a new TEK policy and sends a rekey but the GM still uses the old policy and traffic flows encrypted until the old policy expires. After that the GM fails to re-register or install any further KS policies until we remove the extra acl entries on the KS and keep the list below 100 entries. If we do the same for ipv4 cypto acl we see that the ASR receives and installs correctly the new TEK and old one with shorten life time. GM shows the following error message: Jul 24 08:56:44.172: GDOI:GM INFRA:ERR:(36794:65300):Couldn't match SPI in KD TEK mid is 0; spi size is 4; spi is 0x23FDC230 Jul 24 08:56:44.172: %GDOI-3-GDOI_REKEY_FAILURE: Processing of REKEY payloads failed on GM y.y.y.y in the group IPV6-GROUP-NAME, with peer at x.x.x.x Jul 24 08:56:44.172: %CRYPTO-6-IKMP_MODE_FAILURE: Processing of GDOI mode failed with peer at x.x.x.x Conditions: The KS crypto ipv6 acl has to exceed 100 entries.
Bug details contain sensitive information and therefore require a Cisco.com account to be viewed.
Bug Details Include
- Full Description (including symptoms, conditions and workarounds)
- Known Fixed Releases
- Related Community Discussions
- Number of Related Support Cases