Loading...
Loading...
-- Platforms with crypto offload: Cat8200, Cat8300, Cat8500, C1100 and ISR1100 when using nested IPsec tunnels, would result in wrongly encrypting the inner tunnel's packets using the outer tunnel's session keys. -- The issue will result in the peer dropping the packets with the error: *Jul 6 09:36:37.767: %IOSXE-3-PLATFORM: R0/0: cpp_cp: QFP:0.0 Thread:000 TS:00000011275821525537 %IPSEC-3-HMAC_ERROR: IPSec SA receives HMAC error, DP Handle 3, src_addr 10.10.77.110, dest_addr 10.48.77.120, SPI 0x89e482e2
-- Platforms with crypto offload: Cat8200, Cat8300, Cat8500, C1100 and ISR1100 configured with nested IPsec tunnels. -- Encryption should be enabled on the outer and the inner tunnels.
-- Do not use encryption on the outer tunnel
The issue is that the device will send the traffic to be encrypted on the outer tunnel first, and then back to the inner tunnel, which causing the router to encrypt using only the outer tunnel's SAs, however the encapsulation would seem fine looking at the packets' SPI: *Jul 6 09:36:37.767: %IOSXE-3-PLATFORM: R0/0: cpp_cp: QFP:0.0 Thread:000 TS:00000011275821525537 %IPSEC-3-HMAC_ERROR: IPSec SA receives HMAC error, DP Handle 3, src_addr 10.10.77.110, dest_addr 10.48.77.120, SPI 0x89e482e2 inbound esp sas: spi: 0x89E482E2(2313454306) transform: esp-256-aes esp-sha256-hmac , in use settings ={Tunnel, } conn id: 3853, flow_id: ESG:1853, sibling_flags FFFFFFFF80000048, crypto map: Virtual-Access1-head-0 sa timing: remaining key lifetime (k/sec): (4608000/2798) IV size: 16 bytes replay detection support: Y Status: ACTIVE(ACTIVE
Click on a version to see all relevant bugs
Cisco Integration
Learn more about where this data comes from
Bug Scrub Advisor
Streamline upgrades with automated vendor bug scrubs
BugZero Enterprise
Wish you caught this bug sooner? Get proactive today.