BugZero | Cisco BugID CSCuv74256 - IOS: HMAC key miscalculated with DH Group 21 and I...

Symptom

Intermittently, during the rekey IOS may end-up calculating wrong HMAC compared to the Peer (IOS or any other device) when the PFS is set to 21 specifically. The error may vary depending on the platform: ASR1k - IOS-XE: Syslog: Nov 26 12:28:42.111: %IOSXE-3-PLATFORM: SIP0: cpp_cp: QFP:0.0 Thread:000 TS:00000182801541574367 %IPSEC-3-HMAC_ERROR: IPSec SA receives HMAC error, DP Handle 349, src_addr 11.12.82.1, dest_addr 10.1.1.200, SPI 0xdad10535 show platform hardware qfp active feature ipsec datapath drops ------------------------------------------------------------------------ Drop Type Name Packets ------------------------------------------------------------------------ 62 IN_OCT_MAC_EXCEPTION 2 76 OCT_PAD_MISMATCH 2241 [Or, depending on the crypto engine) 62 IN_N2_MAC_EXCEPTION 2292 76 N2_PAD_MISMATCH 573017 ISR 4300: Syslog: Nov 26 12:28:42.111: %IOSXE-3-PLATFORM: SIP0: cpp_cp: QFP:0.0 Thread:000 TS:00000182801541574367 %IPSEC-3-HMAC_ERROR: IPSec SA receives HMAC error, DP Handle 349, src_addr 11.12.82.1, dest_addr 10.1.1.200, SPI 0xdad10535 show platform hardware qfp active feature ipsec datapath drops ------------------------------------------------------------------------ Drop Type Name Packets ------------------------------------------------------------------------ 62 IN_ICE_MAC_EXCEPTION 90961 ISR 4400: Syslog shows up occasionally. But mostly the error is captures by "IN_UNEXP_OVLD_EXCEPTION" indicating an unexpected error during HMAC verification. show platform hardware qfp active feature ipsec datapath drops ------------------------------------------------------------------------ Drop Type Name Packets ------------------------------------------------------------------------ 20 IN_UNEXP_OVLD_EXCEPTION 78117 62 IN_OVLD_MAC_EXCEPTION 8 ISR G2: %CRYPTO-4-RECVD_PKT_MAC_ERR: decrypt: mac verify failed for connection id=294 spi=98FC0400 seqno=0000000E Also: show crypto ipsec sa det | i verify failed|crypto endpt. !! this will show per peer stats on HMAC errors

Conditions

IOS configured as IPSec VPN termination point, the IKE or IKEv2 policy specifies DH group 21 and the PSec policy enables PFS.

Workaround

Use DH group 20 and/or do not enable IPSec PFS. When the problem occurs clearing the IPSec SAs will allow new SAs to be negotiated. Following the negotiation the the IPSec connection should resume.

Further Problem Description

Some of the issues due to DH Group 21 and IPSec PFS are taken corrected by the following bug fix in 15.5(3)S (XE 3.16) or IOS 15.5(3)M1: CSCut21091 IPSec HMAC errors seen when using DH group 21 for PFS However Cisco has discovered that this situation may still occur even with the above fix in place.

Cisco - Defect ID: CSCuv74256

IOS: HMAC key miscalculated with DH Group 21 and IPSec PFS enabled

Cisco - Defect ID: CSCuv74256

IOS: HMAC key miscalculated with DH Group 21 and IPSec PFS enabled

Last updated on June 5th, 2024

BugZero Risk Score
7.8 High

Bug Details

Symptom

Conditions

Workaround

Further Problem Description

Top Cisco Defects

Ready to prevent the next vendor outage?

Links

Cisco - Defect ID: CSCuv74256

IOS: HMAC key miscalculated with DH Group 21 and IPSec PFS enabled

Cisco - Defect ID: CSCuv74256

IOS: HMAC key miscalculated with DH Group 21 and IPSec PFS enabled

Last updated on June 5th, 2024

BugZero Risk Score7.8 High

Bug Details

Symptom

Conditions

Workaround

Further Problem Description

Top Cisco Defects

Ready to prevent the next vendor outage?

Links

BugZero Risk Score
7.8 High