General

So far, this problem is only happen to one customer and the root cause is suspected to be due to HW malfunction. This DDTS fix is to provide a preventive fix in case similar HW malfunction happen.

Symptom

Packet drop due to GETVPN TBAR antireplay might occur when this problem happen For instance, enable the following debug: debug platform packet-trace drop code 21 debug platform hardware qfp active feature ipsec client info debug platform condition feature ipsec controlplane submode all level verbose debug platform hardware qfp active feature ipsec datapath error debug platform condition start From the debug log file collected, significant time-drift is observed [lewisc@sjc-ads-2652 TAC_LOG]$ grep "cpp_ipsec_getvpn_timer_update_sync Diff between timer" 20170329-161147325_cpp_cp_F0-0.30788_6.20170329153445.decode.txt 2017/03/29 15:37:19.295 [buginf] [30788]: UUID: 0, ra: 0, TID: 0 (debug): [cpp-ipsec]: (info) cpp_ipsec_getvpn_timer_update_sync Diff between timer : 5 sec 2017/03/29 15:47:19.295 [buginf] [30788]: UUID: 0, ra: 0, TID: 0 (debug): [cpp-ipsec]: (info) cpp_ipsec_getvpn_timer_update_sync Diff between timer : 5 sec 2017/03/29 15:57:19.295 [buginf] [30788]: UUID: 0, ra: 0, TID: 0 (debug): [cpp-ipsec]: (info) cpp_ipsec_getvpn_timer_update_sync Diff between timer : 6 sec 2017/03/29 16:07:19.296 [buginf] [30788]: UUID: 0, ra: 0, TID: 0 (debug): [cpp-ipsec]: (info) cpp_ipsec_getvpn_timer_update_sync Diff between timer : 3 sec 2017/03/29 16:17:19.296 [buginf] [30788]: UUID: 0, ra: 0, TID: 0 (debug): [cpp-ipsec]: (info) cpp_ipsec_getvpn_timer_update_sync Diff between timer : 8 sec

Conditions

HW malfunction causes the time-drift

Workaround

Disable GETVPN time-based antireplay

Further Problem Description