OPERATIONAL DEFECT DATABASE
...
...
+++++++ In Steady state +++++++++ BGP neighbor is configured with TCP AO to use type6 key-chain specifically and BGP session are NSR ready. +++++++ Trigger ++++++++++++++ switch-over or RP Fail-over (RPFO) +++++++ Impact +++++++++++++ Post switch-over, On new Standby, TCP is not able to authenticate the incoming BGP packets of the same neighbor which was configured with TCP AO using specifically the type6 key-chain because TCP finds that it has no valid key to authenticate this packet and it drops the packet by logging the below message on console. RP/0/RP1/CPU0:Jun 13 15:38:41.534 IST: tcp[131]: %IP-TCP-3-BADAUTH : Invalid AO digest from 11.1.1.3:49043 to 11.1.1.4:179 for vrf:default (0x60000000) So the impact is only on the standby side w.r.t TCP AO functionality especially with the use of type6 keychain and the NSR of the concerned BGP neighbor (configured with TCP AO using type6 key-chain) session will be impacted. Note - The other BGP neighbors configured with TCP AO using non-type6 key-chain are not impacted. On Active node side, there is no impact at all and TCP will continue to receive and authenticate the incoming BGP packets and forwards them to BGP application. BGP sessions continues to be steady as expected, so there is no traffic impact. ++++++++ Frequency of hitting this issue ++++++++ Rare - 1 out of 5 attempts ----
Post switchover, on new standby we can check the following show command to see whether we hit this issue on new standby. +++ show tcp authentication keychain all detail location ++++ Keychain name: bgp-AO-rsp4, configured for tcp-ao Desired key not yet available No notification received from keychain yet Total number of keys: 1 Key details: Key ID: 1, Active, Invalid, reason: config incomplete <<<<< key is invalid due to config incomplete - this shows that we hit this issue Active_state: 1, invalid_bits: 0x1, state: 0x2 Key is configured for tcp-ao, Send ID: 254, Receive ID: 254 Crypto algorithm: AES_128_CMAC_96, key string chksum: 00000000 <<<< see key string is 0. this means TCP could not get key string (password which type6 encrypted) from keychain module during config replay of standby bootup -- this shows that we hit this issue. No notification received from keychain yet No valid overlapping key No keys invalidated No key is usable (i.e. Valid and Active): <<<< No key is usable Now if you see the same show command in new active, AO keychain config is replayed correctly without any error. +++ show tcp authentication keychain all detail location ++++ Keychain name: bgp-AO-rsp4, configured for tcp-ao Desired key: 1 No notification received from keychain yet Total number of keys: 1 Key details: Key ID: 1, Active, Valid <<<< key is valid and active. Active_state: 1, invalid_bits: 0x0, state: 0x3 Key is configured for tcp-ao, Send ID: 254, Receive ID: 254 Crypto algorithm: AES_128_CMAC_96, key string chksum: 010132c7 <<< key string is non-zero means TCP could get the key string (passoword type6) from keychain module without any error. No notification received from keychain yet No valid overlapping key No keys invalidated Total number of usable (Active & Valid) keys: 1 <<< see usable key is 1. Keys: 1,
This issue is only seen in case of type6 keychain configured with TCP AO
None.
Recovery is process restart of tcp on standby node.
Click on a version to see all relevant bugs
Cisco Integration
Learn more about where this data comes from
Bug Scrub Advisor
Streamline upgrades with automated vendor bug scrubs
BugZero Enterprise
Wish you caught this bug sooner? Get proactive today.
