Preview Tool

Cisco Bug: CSCus13533 - XE3.14 / PI26 - GDOI Interop Rekey ACK - Bad derivation of ACK Key

Last Modified

Nov 30, 2018

Products (20)

  • Cisco IOS
  • Cisco ASR 901-6CZ-FS-D Router
  • Cisco ASR 901-6CZ-F-D Router
  • Cisco ASR 901-4C-FT-D Router
  • Cisco ASR 901S-4SG-F-D Router
  • Cisco ME 3600X-24TS-M Switch
  • Cisco ASR 901S-2SG-F-AH Router
  • Cisco ASR 901-6CZ-F-A Router
  • Cisco ASR 901S-2SG-F-D Router
  • Cisco ASR 901-6CZ-FT-A Router
View all products in Bug Search Tool Login Required

Known Affected Releases

15.5(1)S 15.5(1)T

Description (partial)

GDOI Group Members (GM) fail to acknowledge unicast rekeys using the GDOI Interoperable Rekey ACK as seen by the "show crypto gkm ks members" command on the Key Server (KS) after a rekey is sent. After 3 rekeys, these GMs are removed from the GM database on the KS.

The GDOI Interoperable Rekey ACK feature is enabled on the Key Server (KS) with either of the following commands under "crypto {gdoi | gkm} group <group-name>" => "server local" ...
=> rekey acknowledgement interoperable
=> rekey acknowledgement any

Also, the KS has Unicast Rekey configured with the "rekey transport unicast" command.

Group Members (GM) are not ASR1k / ISR (IOS-XE / IOS Classic) based.
GMs support the GDOI Interoperable Rekey ACK feature.
Bug details contain sensitive information and therefore require a account to be viewed.

Bug Details Include

  • Full Description (including symptoms, conditions and workarounds)
  • Status
  • Severity
  • Known Fixed Releases
  • Related Community Discussions
  • Number of Related Support Cases
Bug information is viewable for customers and partners who have a service contract. Registered users can view up to 200 bugs per month without a service contract.