Launching soon: The world's first vendor agnostic bug scrubLearn more & join waitlist
OPERATIONAL DEFECT DATABASE
...
...
Intermittently, during the rekey IOS may end-up calculating wrong HMAC compared to the Peer (IOS or any other device) when the PFS is set to 21 specifically. The error may vary depending on the platform: ASR1k - IOS-XE: Syslog: Nov 26 12:28:42.111: %IOSXE-3-PLATFORM: SIP0: cpp_cp: QFP:0.0 Thread:000 TS:00000182801541574367 %IPSEC-3-HMAC_ERROR: IPSec SA receives HMAC error, DP Handle 349, src_addr 11.12.82.1, dest_addr 10.1.1.200, SPI 0xdad10535 show platform hardware qfp active feature ipsec datapath drops ------------------------------------------------------------------------ Drop Type Name Packets ------------------------------------------------------------------------ 62 IN_OCT_MAC_EXCEPTION 2 76 OCT_PAD_MISMATCH 2241 [Or, depending on the crypto engine) 62 IN_N2_MAC_EXCEPTION 2292 76 N2_PAD_MISMATCH 573017 ISR 4300: Syslog: Nov 26 12:28:42.111: %IOSXE-3-PLATFORM: SIP0: cpp_cp: QFP:0.0 Thread:000 TS:00000182801541574367 %IPSEC-3-HMAC_ERROR: IPSec SA receives HMAC error, DP Handle 349, src_addr 11.12.82.1, dest_addr 10.1.1.200, SPI 0xdad10535 show platform hardware qfp active feature ipsec datapath drops ------------------------------------------------------------------------ Drop Type Name Packets ------------------------------------------------------------------------ 62 IN_ICE_MAC_EXCEPTION 90961 ISR 4400: Syslog shows up occasionally. But mostly the error is captures by "IN_UNEXP_OVLD_EXCEPTION" indicating an unexpected error during HMAC verification. show platform hardware qfp active feature ipsec datapath drops ------------------------------------------------------------------------ Drop Type Name Packets ------------------------------------------------------------------------ 20 IN_UNEXP_OVLD_EXCEPTION 78117 62 IN_OVLD_MAC_EXCEPTION 8 ISR G2: %CRYPTO-4-RECVD_PKT_MAC_ERR: decrypt: mac verify failed for connection id=294 spi=98FC0400 seqno=0000000E Also: show crypto ipsec sa det | i verify failed|crypto endpt. !! this will show per peer stats on HMAC errors
IOS configured as IPSec VPN termination point, the IKE or IKEv2 policy specifies DH group 21 and the PSec policy enables PFS.
Use DH group 20 and/or do not enable IPSec PFS. When the problem occurs clearing the IPSec SAs will allow new SAs to be negotiated. Following the negotiation the the IPSec connection should resume.
Some of the issues due to DH Group 21 and IPSec PFS are taken corrected by the following bug fix in 15.5(3)S (XE 3.16) or IOS 15.5(3)M1: CSCut21091 IPSec HMAC errors seen when using DH group 21 for PFS However Cisco has discovered that this situation may still occur even with the above fix in place.