BugZero | Cisco BugID CSCvt65197 - vEdge SDWAN IPsec tunnel flapping due IKE packet d...

Cisco - Defect ID: CSCvt65197

vEdge SDWAN IPsec tunnel flapping due IKE packet drops

Cisco - Defect ID: CSCvt65197

vEdge SDWAN IPsec tunnel flapping due IKE packet drops

Last updated on 4/22/2024

Overall: 9.59.5

Severity: 1010.0

Lifecycle: 8.38.3

Popularity: 66.0

What is the BugZero Risk Score?

Vendor details

No defect details.

Overall: 9.59.5

Severity: 1010.0

Lifecycle: 8.38.3

Popularity: 66.0

What is the BugZero Risk Score?

Vendor details

No defect details.

Symptom

IPsec Tunnels flap Occurs Prior get a drop message: EXAMPLE - kern.info: Mar 30 04:31:57 Pittsburgh-V01 kernel: "iptables-dropped:"IN=ge0_4 OUT= MAC=80:b7:09:18:8a:14:78:02:b1:8b:df:41:08:00 SRC=104.129.196.33 DST=134.6.186.130 LEN=108 TOS=0x08 PREC=0x40 TTL=52 ID=45477 PROTO=UDP SPT=4500 DPT=4500 LEN=88

Conditions

Version 18.4.4, 18.4.5 Version 19.2.1, 19.2.2, 19.2.31 Version 20.1.1

Workaround

Workaround: apply "'request ipsec ipsec-rekey" command https://www.cisco.com/c/en/us/td/docs/routers/sdwan/command/sdwan-cr-book/operational-cmd.html#wp2222650581 request ipsec ipsec-rekey—Force the generation of a new security parameter index (SPI) for an IPsec tunnel that is being used for IKE sessions (on vEdge routers only). request ipsec ipsec-rekey interface ipsec number vpn vpn-id

Further Problem Description

You hit this issue if you got the following behavior: Tunnel drop: daemon.info: Apr 15 10:54:39 vedge1-site2 charon: 16[IKE] giving up after 3 retransmits daemon.info: Apr 15 10:54:39 vedge1-site2 charon: 16[KNL] Deleting SAD entry with SPI 000021cd daemon.info: Apr 15 10:54:39 vedge1-site2 charon: 16[KNL] Deleting SAD entry with SPI 2d1b76e2 local7.info: Apr 15 10:54:39 vedge1-site2 FTMD[1256]: %Viptela-vedge1-site2-FTMD-6-INFO-1000001: VPN 0 Interface ipsec1 DOWN Tunnel negotiation/up daemon.info: Apr 15 10:54:44 vedge1-site2 charon: 13[IKE] authentication of '165.225.16.161' with pre-shared key successful .. local7.info: Apr 15 10:54:44 vedge1-site2 FTMD[1256]: %Viptela-vedge1-site2-FTMD-6-INFO-1000001: VPN 0 Interface ipsec1 UP. Speed 0 Duplex Full droop still happen kern.info: Apr 15 10:56:16 vedge1-site2 kernel: "iptables-dropped:"IN=ge0_4 OUT= MAC=80:b7:09:06:70:d4:70:d3:79:be:ff:c7:08:00 SRC=165.225.16.161 DST=10.120.3.1 LEN=112 TOS=0x00 PREC=0x00 TTL=50 ID=33359 PROTO=UDP SPT=4500 DPT=4500 LEN=92 first DPD req: daemon.info: Apr 15 10:56:49 vedge1-site2 charon: 08[IKE] sending DPD request daemon.info: Apr 15 10:56:49 vedge1-site2 charon: 08[ENC] generating INFORMATIONAL request 2 [ ] daemon.info: Apr 15 10:56:49 vedge1-site2 charon: 08[NET] sending packet: from 10.120.3.1[4500] to 165.225.16.161[4500] (80 bytes) retry: daemon.info: Apr 15 10:56:54 vedge1-site2 charon: 09[IKE] retransmit 1 of request with message ID 2 (tries=3, timeout=5, exchange=37, state=2) daemon.info: Apr 15 10:56:54 vedge1-site2 charon: 09[NET] sending packet: from 10.120.3.1[4500] to 165.225.16.161[4500] (80 bytes) daemon.info: Apr 15 10:56:54 vedge1-site2 charon: 05[IKE] sending DPD request retry: daemon.info: Apr 15 10:57:03 vedge1-site2 charon: 07[IKE] retransmit 2 of request with message ID 2 (tries=3, timeout=5, exchange=37, state=2) daemon.info: Apr 15 10:57:03 vedge1-site2 charon: 07[NET] sending packet: from 10.120.3.1[4500] to 165.225.16.161[4500] (80 bytes) retry: daemon.info: Apr 15 10:57:20 vedge1-site2 charon: 09[IKE] retransmit 3 of request with message ID 2 (tries=3, timeout=5, exchange=37, state=2) daemon.info: Apr 15 10:57:20 vedge1-site2 charon: 09[NET] sending packet: from 10.120.3.1[4500] to 165.225.16.161[4500] (80 bytes) tunnel killed daemon.info: Apr 15 10:57:49 vedge1-site2 charon: 09[IKE] giving up after 3 retransmits daemon.info: Apr 15 10:57:49 vedge1-site2 charon: 09[KNL] Deleting SAD entry with SPI 000021ce daemon.info: Apr 15 10:57:49 vedge1-site2 charon: 09[KNL] Deleting SAD entry with SPI 51b04f61 local7.info: Apr 15 10:57:49 vedge1-site2 FTMD[1256]: %Viptela-vedge1-site2-FTMD-6-INFO-1000001: VPN 0 Interface ipsec1 DOWN tunnel up daemon.info: Apr 15 10:57:54 vedge1-site2 charon: 09[KNL] add SAD entry with SPI 000021cf daemon.info: Apr 15 10:57:54 vedge1-site2 charon: 09[KNL] add SAD entry with SPI 0dab05ed daemon.info: Apr 15 10:57:54 vedge1-site2 charon: 09[IKE] CHILD_SA child_ipsec1_0{135} established with SPIs 000021cf_i 0dab05ed_o and TS 0.0.0.0/0 === 0.0.0.0/0 daemon.info: Apr 15 10:57:54 vedge1-site2 charon: 09[IKE] CHILD_SA child_ipsec1_0{135} established with SPIs 000021cf_i 0dab05ed_o and TS 0.0.0.0/0 === 0.0.0.0/0 local7.info: Apr 15 10:57:54 vedge1-site2 FTMD[1256]: %Viptela-vedge1-site2-FTMD-6-INFO-1000001: VPN 0 Interface ipsec1 UP. Speed 0 Duplex Full drop still happen kern.info: Apr 15 10:59:38 vedge1-site2 kernel: "iptables-dropped:"IN=ge0_4 OUT= MAC=80:b7:09:06:70:d4:70:d3:79:be:ff:c7:08:00 SRC=165.225.16.161 DST=10.120.3.1 LEN=112 TOS=0x00 PREC=0x00 TTL=50 ID=21456 PROTO=UDP SPT=4500 DPT=4500 LEN=92 first DPD req daemon.info: Apr 15 11:00:04 vedge1-site2 charon: 14[IKE] sending DPD request daemon.info: Apr 15 11:00:04 vedge1-site2 charon: 14[ENC] generating INFORMATIONAL request 2 [ ] daemon.info: Apr 15 11:00:04 vedge1-site2 charon: 14[NET] sending packet: from 10.120.3.1[4500] to 165.225.16.161[4500] (80 bytes) retry daemon.info: Apr 15 11:00:18 vedge1-site2 charon: 10[IKE] retransmit 2 of request with message ID 2 (tries=3, timeout=5, exchange=37, state=2) daemon.info: Apr 15 11:00:18 vedge1-site2 charon: 10[NET] sending packet: from 10.120.3.1[4500] to 165.225.16.161[4500] (80 bytes) retry daemon.info: Apr 15 11:00:35 vedge1-site2 charon: 10[IKE] retransmit 3 of request with message ID 2 (tries=3, timeout=5, exchange=37, state=2) daemon.info: Apr 15 11:00:35 vedge1-site2 charon: 10[NET] sending packet: from 10.120.3.1[4500] to 165.225.16.161[4500] (80 bytes) daemon.info: Apr 15 11:00:35 vedge1-site2 charon: 09[IKE] sending DPD request tunnel killed daemon.info: Apr 15 11:01:04 vedge1-site2 charon: 15[IKE] giving up after 3 retransmits daemon.info: Apr 15 11:01:04 vedge1-site2 charon: 15[KNL] Deleting SAD entry with SPI 000021cf daemon.info: Apr 15 11:01:04 vedge1-site2 charon: 15[KNL] Deleting SAD entry with SPI 0dab05ed local7.info: Apr 15 11:01:04 vedge1-site2 FTMD[1256]: %Viptela-vedge1-site2-FTMD-6-INFO-1000001: VPN 0 Interface ipsec1 DOWN

Original Vendor Announcement

9.65Defect ID: CSCwd45843
Auth Step latency for policy evaluation due to Garbage Collection activity.
9.65Defect ID: CSCwa92734
CUBE DTMF interworking fails from rtp-nte to OOB SIP methods
9.65Defect ID: CSCwj45822
Cisco ASA and FTD Software Remote Access VPN Brute Force Denial of Service Vulnerability
9.65Defect ID: CSCvo03458
PKI "revocation check crl none" does not fallback if CRL not reachable
9.65Defect ID: CSCvq05584
Cisco IOS and IOS XE Software Tcl Arbitrary Code Execution Vulnerability

Ready to prevent the next vendor outage?

Get a demo

OPERATIONAL DEFECT DATABASE

Cisco - Defect ID: CSCvt65197

vEdge SDWAN IPsec tunnel flapping due IKE packet drops

Cisco - Defect ID: CSCvt65197

vEdge SDWAN IPsec tunnel flapping due IKE packet drops

Last updated on 4/22/2024

Vendor details

Vendor details

Description

Symptom

Conditions

Workaround

Further Problem Description

Links

Top Cisco defects by risk score

Ready to prevent the next vendor outage?