Guest

Preview Tool

Cisco Bug: CSCvs59402 - Random IPSEC drops on ESP200 with esp-gcm transform set

Last Modified

Jan 14, 2020

Products (1)

  • Cisco ASR 1000 Series Aggregation Services Routers

Known Affected Releases

16.6.5

Description (partial)

Symptom:
Random IPSEC drops on ESP200 with esp-gcm transform set, following messages are observed. Tunnels are also seen to be flapped at times along with the invalid SPI messages.

*Jan  6 19:41:57.004: %CRYPTO-4-RECVD_PKT_INV_SPI: decaps: rec'd IPSEC packet has invalid spi for destaddr=21.1.1.2, prot=50, spi=0xE62954E5(3861468389), srcaddr=21.1.1.1, input interface=Tunnel110
*Jan  6 19:43:04.978: %CRYPTO-4-RECVD_PKT_INV_SPI: decaps: rec'd IPSEC packet has invalid spi for destaddr=22.1.1.2, prot=50, spi=0xBCE9655(198088277), srcaddr=22.1.1.1, input interface=Tunnel111
*Jan  6 20:47:00.306: %CRYPTO-4-RECVD_PKT_INV_SPI: decaps: rec'd IPSEC packet has invalid spi for destaddr=21.1.1.2, prot=50, spi=0x5AB5E0D4(1521869012), srcaddr=21.1.1.1, input interface=Tunnel110
*Jan  6 20:48:08.286: %CRYPTO-4-RECVD_PKT_INV_SPI: decaps: rec'd IPSEC packet has invalid spi for destaddr=22.1.1.2, prot=50, spi=0xA42A8428(2754249768), srcaddr=22.1.1.1, input interface=Tunnel111
*Jan  6 21:52:03.607: %CRYPTO-4-RECVD_PKT_INV_SPI: decaps: rec'd IPSEC packet has invalid spi for destaddr=21.1.1.2, prot=50, spi=0x6B96E121(1805050145), srcaddr=21.1.1.1, input interface=Tunnel110
*Jan  6 21:53:11.590: %CRYPTO-4-RECVD_PKT_INV_SPI: decaps: rec'd IPSEC packet has invalid spi for destaddr=22.1.1.2, prot=50, spi=0x6BEEE96D(1810819437), srcaddr=22.1.1.1, input interface=Tunnel111
*Jan  6 21:53:15.061: %BGP-3-NOTIFICATION: sent to neighbor 192.168.22.1 4/0 (hold time expired) 0 bytes 
*Jan  6 21:53:15.061: %BGP-5-NBR_RESET: Neighbor 192.168.22.1 reset (BGP Notification sent)
*Jan  6 21:53:15.062: %BGP-5-ADJCHANGE: neighbor 192.168.22.1 vpn vrf VRF_ONPREM Down BGP Notification sent
*Jan  6 21:53:15.062: %BGP_SESSION-5-ADJCHANGE: neighbor 192.168.22.1 IPv4 Unicast vpn vrf VRF_ONPREM topology base removed from session  BGP Notification sent
*Jan  6 21:53:21.571: %LINEPROTO-5-UPDOWN: Line protocol on Interface Tunnel111, changed state to down
*Jan  6 21:53:51.572: %LINEPROTO-5-UPDOWN: Line protocol on Interface Tunnel111, changed state to up
*Jan  6 21:53:51.939: %BGP-5-ADJCHANGE: neighbor 192.168.22.1 vpn vrf VRF_ONPREM Up

Conditions:
Pump traffic around 35-40 gig over DMVPN tunnel with crypto applied in ASR1009-X box with ESP200
Bug details contain sensitive information and therefore require a Cisco.com account to be viewed.

Bug Details Include

  • Full Description (including symptoms, conditions and workarounds)
  • Status
  • Severity
  • Known Fixed Releases
  • Related Community Discussions
  • Number of Related Support Cases
Bug information is viewable for customers and partners who have a service contract. Registered users can view up to 200 bugs per month without a service contract.