General
So far, this problem is only happen to one customer and the root cause is suspected to be due to HW malfunction. This DDTS fix is to provide a preventive fix in case similar HW malfunction happen.
Symptom
Packet drop due to GETVPN TBAR antireplay might occur when this problem happen
For instance, enable the following debug:
debug platform packet-trace drop code 21
debug platform hardware qfp active feature ipsec client info
debug platform condition feature ipsec controlplane submode all level verbose
debug platform hardware qfp active feature ipsec datapath error
debug platform condition start
From the debug log file collected, significant time-drift is observed
[lewisc@sjc-ads-2652 TAC_LOG]$ grep "cpp_ipsec_getvpn_timer_update_sync Diff between timer" 20170329-161147325_cpp_cp_F0-0.30788_6.20170329153445.decode.txt
2017/03/29 15:37:19.295 [buginf] [30788]: UUID: 0, ra: 0, TID: 0 (debug): [cpp-ipsec]: (info) cpp_ipsec_getvpn_timer_update_sync Diff between timer : 5 sec
2017/03/29 15:47:19.295 [buginf] [30788]: UUID: 0, ra: 0, TID: 0 (debug): [cpp-ipsec]: (info) cpp_ipsec_getvpn_timer_update_sync Diff between timer : 5 sec
2017/03/29 15:57:19.295 [buginf] [30788]: UUID: 0, ra: 0, TID: 0 (debug): [cpp-ipsec]: (info) cpp_ipsec_getvpn_timer_update_sync Diff between timer : 6 sec
2017/03/29 16:07:19.296 [buginf] [30788]: UUID: 0, ra: 0, TID: 0 (debug): [cpp-ipsec]: (info) cpp_ipsec_getvpn_timer_update_sync Diff between timer : 3 sec
2017/03/29 16:17:19.296 [buginf] [30788]: UUID: 0, ra: 0, TID: 0 (debug): [cpp-ipsec]: (info) cpp_ipsec_getvpn_timer_update_sync Diff between timer : 8 sec
Conditions
HW malfunction causes the time-drift
Workaround
Disable GETVPN time-based antireplay
