OPERATIONAL DEFECT DATABASE
...
...
IPsec Tunnels flap Occurs Prior get a drop message: EXAMPLE - kern.info: Mar 30 04:31:57 Pittsburgh-V01 kernel: "iptables-dropped:"IN=ge0_4 OUT= MAC=80:b7:09:18:8a:14:78:02:b1:8b:df:41:08:00 SRC=104.129.196.33 DST=134.6.186.130 LEN=108 TOS=0x08 PREC=0x40 TTL=52 ID=45477 PROTO=UDP SPT=4500 DPT=4500 LEN=88
Version 18.4.4, 18.4.5 Version 19.2.1, 19.2.2, 19.2.31 Version 20.1.1
Workaround: apply "'request ipsec ipsec-rekey" command https://www.cisco.com/c/en/us/td/docs/routers/sdwan/command/sdwan-cr-book/operational-cmd.html#wp2222650581 request ipsec ipsec-rekey—Force the generation of a new security parameter index (SPI) for an IPsec tunnel that is being used for IKE sessions (on vEdge routers only). request ipsec ipsec-rekey interface ipsec number vpn vpn-id
You hit this issue if you got the following behavior: Tunnel drop: daemon.info: Apr 15 10:54:39 vedge1-site2 charon: 16[IKE] giving up after 3 retransmits daemon.info: Apr 15 10:54:39 vedge1-site2 charon: 16[KNL] Deleting SAD entry with SPI 000021cd daemon.info: Apr 15 10:54:39 vedge1-site2 charon: 16[KNL] Deleting SAD entry with SPI 2d1b76e2 local7.info: Apr 15 10:54:39 vedge1-site2 FTMD[1256]: %Viptela-vedge1-site2-FTMD-6-INFO-1000001: VPN 0 Interface ipsec1 DOWN Tunnel negotiation/up daemon.info: Apr 15 10:54:44 vedge1-site2 charon: 13[IKE] authentication of '165.225.16.161' with pre-shared key successful .. local7.info: Apr 15 10:54:44 vedge1-site2 FTMD[1256]: %Viptela-vedge1-site2-FTMD-6-INFO-1000001: VPN 0 Interface ipsec1 UP. Speed 0 Duplex Full droop still happen kern.info: Apr 15 10:56:16 vedge1-site2 kernel: "iptables-dropped:"IN=ge0_4 OUT= MAC=80:b7:09:06:70:d4:70:d3:79:be:ff:c7:08:00 SRC=165.225.16.161 DST=10.120.3.1 LEN=112 TOS=0x00 PREC=0x00 TTL=50 ID=33359 PROTO=UDP SPT=4500 DPT=4500 LEN=92 first DPD req: daemon.info: Apr 15 10:56:49 vedge1-site2 charon: 08[IKE] sending DPD request daemon.info: Apr 15 10:56:49 vedge1-site2 charon: 08[ENC] generating INFORMATIONAL request 2 [ ] daemon.info: Apr 15 10:56:49 vedge1-site2 charon: 08[NET] sending packet: from 10.120.3.1[4500] to 165.225.16.161[4500] (80 bytes) retry: daemon.info: Apr 15 10:56:54 vedge1-site2 charon: 09[IKE] retransmit 1 of request with message ID 2 (tries=3, timeout=5, exchange=37, state=2) daemon.info: Apr 15 10:56:54 vedge1-site2 charon: 09[NET] sending packet: from 10.120.3.1[4500] to 165.225.16.161[4500] (80 bytes) daemon.info: Apr 15 10:56:54 vedge1-site2 charon: 05[IKE] sending DPD request retry: daemon.info: Apr 15 10:57:03 vedge1-site2 charon: 07[IKE] retransmit 2 of request with message ID 2 (tries=3, timeout=5, exchange=37, state=2) daemon.info: Apr 15 10:57:03 vedge1-site2 charon: 07[NET] sending packet: from 10.120.3.1[4500] to 165.225.16.161[4500] (80 bytes) retry: daemon.info: Apr 15 10:57:20 vedge1-site2 charon: 09[IKE] retransmit 3 of request with message ID 2 (tries=3, timeout=5, exchange=37, state=2) daemon.info: Apr 15 10:57:20 vedge1-site2 charon: 09[NET] sending packet: from 10.120.3.1[4500] to 165.225.16.161[4500] (80 bytes) tunnel killed daemon.info: Apr 15 10:57:49 vedge1-site2 charon: 09[IKE] giving up after 3 retransmits daemon.info: Apr 15 10:57:49 vedge1-site2 charon: 09[KNL] Deleting SAD entry with SPI 000021ce daemon.info: Apr 15 10:57:49 vedge1-site2 charon: 09[KNL] Deleting SAD entry with SPI 51b04f61 local7.info: Apr 15 10:57:49 vedge1-site2 FTMD[1256]: %Viptela-vedge1-site2-FTMD-6-INFO-1000001: VPN 0 Interface ipsec1 DOWN tunnel up daemon.info: Apr 15 10:57:54 vedge1-site2 charon: 09[KNL] add SAD entry with SPI 000021cf daemon.info: Apr 15 10:57:54 vedge1-site2 charon: 09[KNL] add SAD entry with SPI 0dab05ed daemon.info: Apr 15 10:57:54 vedge1-site2 charon: 09[IKE] CHILD_SA child_ipsec1_0{135} established with SPIs 000021cf_i 0dab05ed_o and TS 0.0.0.0/0 === 0.0.0.0/0 daemon.info: Apr 15 10:57:54 vedge1-site2 charon: 09[IKE] CHILD_SA child_ipsec1_0{135} established with SPIs 000021cf_i 0dab05ed_o and TS 0.0.0.0/0 === 0.0.0.0/0 local7.info: Apr 15 10:57:54 vedge1-site2 FTMD[1256]: %Viptela-vedge1-site2-FTMD-6-INFO-1000001: VPN 0 Interface ipsec1 UP. Speed 0 Duplex Full drop still happen kern.info: Apr 15 10:59:38 vedge1-site2 kernel: "iptables-dropped:"IN=ge0_4 OUT= MAC=80:b7:09:06:70:d4:70:d3:79:be:ff:c7:08:00 SRC=165.225.16.161 DST=10.120.3.1 LEN=112 TOS=0x00 PREC=0x00 TTL=50 ID=21456 PROTO=UDP SPT=4500 DPT=4500 LEN=92 first DPD req daemon.info: Apr 15 11:00:04 vedge1-site2 charon: 14[IKE] sending DPD request daemon.info: Apr 15 11:00:04 vedge1-site2 charon: 14[ENC] generating INFORMATIONAL request 2 [ ] daemon.info: Apr 15 11:00:04 vedge1-site2 charon: 14[NET] sending packet: from 10.120.3.1[4500] to 165.225.16.161[4500] (80 bytes) retry daemon.info: Apr 15 11:00:18 vedge1-site2 charon: 10[IKE] retransmit 2 of request with message ID 2 (tries=3, timeout=5, exchange=37, state=2) daemon.info: Apr 15 11:00:18 vedge1-site2 charon: 10[NET] sending packet: from 10.120.3.1[4500] to 165.225.16.161[4500] (80 bytes) retry daemon.info: Apr 15 11:00:35 vedge1-site2 charon: 10[IKE] retransmit 3 of request with message ID 2 (tries=3, timeout=5, exchange=37, state=2) daemon.info: Apr 15 11:00:35 vedge1-site2 charon: 10[NET] sending packet: from 10.120.3.1[4500] to 165.225.16.161[4500] (80 bytes) daemon.info: Apr 15 11:00:35 vedge1-site2 charon: 09[IKE] sending DPD request tunnel killed daemon.info: Apr 15 11:01:04 vedge1-site2 charon: 15[IKE] giving up after 3 retransmits daemon.info: Apr 15 11:01:04 vedge1-site2 charon: 15[KNL] Deleting SAD entry with SPI 000021cf daemon.info: Apr 15 11:01:04 vedge1-site2 charon: 15[KNL] Deleting SAD entry with SPI 0dab05ed local7.info: Apr 15 11:01:04 vedge1-site2 FTMD[1256]: %Viptela-vedge1-site2-FTMD-6-INFO-1000001: VPN 0 Interface ipsec1 DOWN
Cisco Integration
Learn more about where this data comes from
Bug Scrub Advisor
Streamline upgrades with automated vendor bug scrubs
BugZero Enterprise
Wish you caught this bug sooner? Get proactive today.
