Guest

Preview Tool

Cisco Bug: CSCuw48400 - GetVPN GM unable to register or rekey fails - sig-hash > default SHA-1

Last Modified

Sep 27, 2018

Products (1)

  • Cisco 3G Wireless WAN

Known Affected Releases

15.5(3)S

Description (partial)

Symptom:
GM cannot register to GetVPN group.
KS shows it is registered, but GM shows it is registering.

OR

GM can register, but TEK rekey fails with:

GDOI:GM REKEY:ERR:(GDOI-002:0:2):Signature Invalid! status = 13

In the second case the GMs "show crypto gdoi" will show different sig-hash algorithm than configured on KS:

E.g. KS configure with SHA-256, GM shows:

#sh crypto gdoi 
...
KEK POLICY:
    Rekey Transport Type     : Unicast
    Lifetime (secs)          : 85379
    Encrypt Algorithm        : AES
    Key Size                 : 256     
    Sig Hash Algorithm       : HMAC_AUTH_SHA384   <----
    Sig Key Length (bits)    : 1296

Conditions:
GM  running version >= 15.5(01)T or 15.5(01)S
KS running version < 15.5(01)T 15.5(01)S 

and vice versa:

GM  running version < 15.5(01)T or 15.5(01)S
KS running version => 15.5(01)T 15.5(01)S 


KS GetVPN group has non-default sig-hash algorithm.

e.g:

crypto gdoi group GDOI-SHA-512
 identity number 2
 server local
  rekey algorithm aes 256
  rekey sig-hash algorithm sha512   <-----
Bug details contain sensitive information and therefore require a Cisco.com account to be viewed.

Bug Details Include

  • Full Description (including symptoms, conditions and workarounds)
  • Status
  • Severity
  • Known Fixed Releases
  • Related Community Discussions
  • Number of Related Support Cases
Bug information is viewable for customers and partners who have a service contract. Registered users can view up to 200 bugs per month without a service contract.