BugZero | Cisco BugID CSCvy55507 - cEdges are dropping incoming GRe keepalives due to...

Cisco - Defect ID: CSCvy55507

cEdges are dropping incoming GRe keepalives due to implicit ACL

Cisco - Defect ID: CSCvy55507

cEdges are dropping incoming GRe keepalives due to implicit ACL

Last updated on 5/26/2024

Overall: 6.16.1

Severity: 6.46.4

Lifecycle: 9.19.1

Popularity: 5.15.1

What is the BugZero Risk Score?

Vendor details

No defect details.

Overall: 6.16.1

Severity: 6.46.4

Lifecycle: 9.19.1

Popularity: 5.15.1

What is the BugZero Risk Score?

Vendor details

No defect details.

Symptom

After enabling keepalives to a GRE Tunnel, it goes down as the implicit ACL is dropping thew incoming packets sdwan ! interface GigabitEthernet0/0/0 tunnel-interface encapsulation ipsec weight 1 no border color biz-internet restrict no last-resort-circuit no low-bandwidth-link no vbond-as-stun-server vmanage-connection-preference 7 port-hop carrier carrier3 nat-refresh-interval 5 hello-interval 1000 hello-tolerance 12 no allow-service all <<<<<<< no allow-service bgp allow-service dhcp allow-service dns allow-service icmp no allow-service sshd no allow-service netconf no allow-service ntp no allow-service ospf no allow-service stun allow-service https no allow-service snmp no allow-service bfd exit cEdge#show platform packet-trace summary Pkt Input Output State Reason 0 INJ.7 Gi0/0/0 FWD 1 Gi0/0/0 Gi0/0/0 DROP 480 (SdwanImplicitAclDrop) 2 INJ.7 Gi0/0/0 FWD 3 Gi0/0/0 Gi0/0/0 DROP 480 (SdwanImplicitAclDrop) 4 INJ.7 Gi0/0/0 FWD 5 Gi0/0/0 Gi0/0/0 DROP 480 (SdwanImplicitAclDrop) 6 INJ.7 Gi0/0/0 FWD 7 Gi0/0/0 Gi0/0/0 DROP 480 (SdwanImplicitAclDrop) 8 INJ.7 Gi0/0/0 FWD 9 Gi0/0/0 Gi0/0/0 DROP 480 (SdwanImplicitAclDrop) 10 INJ.7 Gi0/0/0 FWD 11 Gi0/0/0 Gi0/0/0 DROP 480 (SdwanImplicitAclDrop)

Conditions

interface GigabitEthernet0/0/0 tunnel-interface encapsulation ipsec weight 1 no border color biz-internet restrict no last-resort-circuit no low-bandwidth-link no vbond-as-stun-server vmanage-connection-preference 7 port-hop carrier carrier3 nat-refresh-interval 5 hello-interval 1000 hello-tolerance 12 no allow-service all <<<<<<< no allow-service bgp allow-service dhcp allow-service dns allow-service icmp no allow-service sshd no allow-service netconf no allow-service ntp no allow-service ospf no allow-service stun allow-service https no allow-service snmp no allow-service bfd exit interface Tunnel100522 no shutdown keepalive 3 10 <<<<< ip address 172.16.0.1 255.255.255.252 ip mtu 1500 tunnel source GigabitEthernet0/0/0 tunnel destination x.x.x.x tunnel mode gre ip tunnel vrf multiplexing

Workaround

Remove the keepalives Create a regular ACL to accept the incoming packets in the tunnel interfaces

Further Problem Description

Original Vendor Announcement

9.65Defect ID: CSCwd45843
Auth Step latency for policy evaluation due to Garbage Collection activity.
9.65Defect ID: CSCwa92734
CUBE DTMF interworking fails from rtp-nte to OOB SIP methods
9.65Defect ID: CSCwj45822
Cisco ASA and FTD Software Remote Access VPN Brute Force Denial of Service Vulnerability
9.65Defect ID: CSCvo03458
PKI "revocation check crl none" does not fallback if CRL not reachable
9.65Defect ID: CSCvq05584
Cisco IOS and IOS XE Software Tcl Arbitrary Code Execution Vulnerability

Ready to prevent the next vendor outage?

Get a demo

OPERATIONAL DEFECT DATABASE

Cisco - Defect ID: CSCvy55507

cEdges are dropping incoming GRe keepalives due to implicit ACL

Cisco - Defect ID: CSCvy55507

cEdges are dropping incoming GRe keepalives due to implicit ACL

Last updated on 5/26/2024

Vendor details

Vendor details

Description

Symptom

Conditions

Workaround

Further Problem Description

Links

Top Cisco defects by risk score

Ready to prevent the next vendor outage?