Guest

Preview Tool

Cisco Bug: CSCvv05221 - BGP session with TCP AO auth stays down post reload on standby

Last Modified

Sep 16, 2020

Products (1)

  • Cisco ASR 9000 Series Aggregation Services Routers

Known Affected Releases

7.2.1.BASE

Description (partial)

+++++++ In Steady state  +++++++++ 
BGP neighbor is configured with TCP AO to use type6 key-chain specifically and BGP session are NSR ready. 

+++++++ Trigger ++++++++++++++
switch-over or RP Fail-over (RPFO) 

+++++++ Impact +++++++++++++
Post switch-over, On new Standby,  TCP is not able to authenticate the incoming BGP packets of the same neighbor which was configured with TCP AO using specifically the type6 key-chain because TCP finds that it has no valid key to authenticate this packet and it drops the packet by logging the below message on console.

RP/0/RP1/CPU0:Jun 13 15:38:41.534 IST: tcp[131]: %IP-TCP-3-BADAUTH : Invalid AO digest from 11.1.1.3:49043 to 11.1.1.4:179 for vrf:default (0x60000000)


So the impact is only on the standby side w.r.t TCP AO functionality especially with the use of type6 keychain and the NSR of the concerned BGP neighbor (configured with TCP AO using type6 key-chain) session will be impacted. 
Note - The other BGP neighbors configured with TCP AO using non-type6 key-chain are not impacted.

On Active node side, there is no impact at all and TCP will continue to receive and authenticate the incoming BGP packets and forwards them to BGP application. BGP sessions continues to be steady as expected, so there is no traffic impact.


++++++++ Frequency of hitting this issue ++++++++
Rare - 1 out of 5 attempts

----

Symptom:
Post switchover, on new standby we can check the following show command to see whether we hit this issue on new standby. 

+++ show tcp authentication keychain all detail location <new standby node>  ++++

Keychain name: bgp-AO-rsp4, configured for tcp-ao
Desired key not yet available
No notification received from keychain yet
Total number of keys: 1
Key details:
    Key ID: 1, Active, Invalid, reason: config incomplete    <<<<< key is invalid due to config incomplete - this shows that we hit this issue
    Active_state: 1, invalid_bits: 0x1, state: 0x2
    Key is configured for tcp-ao, Send ID: 254, Receive ID: 254
    Crypto algorithm: AES_128_CMAC_96, key string chksum: 00000000   <<<< see key string is 0. this means TCP could not get key string (password which type6 encrypted) from keychain module during config replay of standby bootup -- this shows that we hit this issue.
    No notification received from keychain yet
    No valid overlapping key
    No keys invalidated

No key is usable (i.e. Valid and Active):      <<<< No key is usable



Now if you see the same show command in new active, AO keychain config is replayed correctly without any error.

+++ show tcp authentication keychain all detail location <new active> ++++

Keychain name: bgp-AO-rsp4, configured for tcp-ao
Desired key: 1
No notification received from keychain yet
Total number of keys: 1
Key details:
    Key ID: 1, Active, Valid      <<<< key is valid and active. 
    Active_state: 1, invalid_bits: 0x0, state: 0x3
    Key is configured for tcp-ao, Send ID: 254, Receive ID: 254
    Crypto algorithm: AES_128_CMAC_96, key string chksum: 010132c7    <<< key string is non-zero means TCP could get the key string (passoword type6) from keychain module without any error.
    No notification received from keychain yet
    No valid overlapping key
    No keys invalidated

Total number of usable (Active & Valid) keys: 1    <<< see usable key is 1.
    Keys: 1,

Conditions:
This issue is only seen in case of type6 keychain configured with TCP AO
Bug details contain sensitive information and therefore require a Cisco.com account to be viewed.

Bug Details Include

  • Full Description (including symptoms, conditions and workarounds)
  • Status
  • Severity
  • Known Fixed Releases
  • Related Community Discussions
  • Number of Related Support Cases
Bug information is viewable for customers and partners who have a service contract. Registered users can view up to 200 bugs per month without a service contract.