Preview Tool

Cisco Bug: CSCvu57698 - ENH: The ablity to adjust the rekey margin time for IPSEC SPI's

Last Modified

Jun 10, 2020

Products (1)

  • Cisco ASR 1000 Series Aggregation Services Routers

Known Affected Releases


Description (partial)

The Issue seems to be when creating SPI's with AWS. 

The way AWS is designed to work is when the two devices do a rekey it will start to use the new SPI immidiately. 

The way our products are designed is the generate the new SPI, but continue to use the old SPI until the lifetime expires so traffic in transit is not dropped. This is causing the tunnel to drop all traffic as were seeing invalid spi errors until the lifetime expires. 

Crypto invalid spi recovery is configured on the device and does not mitigate the issue.

ASR 1001-HX
security-association lifetime kilobytes disable
security-association lifetime seconds 3600

Cisco IOS XE Software, Version 16.09.02
Cisco IOS Software [Fuji], ASR1000 Software (X86_64_LINUX_IOSD-UNIVERSALK9-M), Version 16.9.2, RELEASE SOFTWARE (fc4)
Bug details contain sensitive information and therefore require a account to be viewed.

Bug Details Include

  • Full Description (including symptoms, conditions and workarounds)
  • Status
  • Severity
  • Known Fixed Releases
  • Related Community Discussions
  • Number of Related Support Cases
Bug information is viewable for customers and partners who have a service contract. Registered users can view up to 200 bugs per month without a service contract.