Loading...
Loading...
SDWAN BFD may stay down due to IPSec anti-replay window drops. Log message will be seen on the PEER: 1. IOSXE-3-PLATFORM: R0/0: cpp_cp: QFP:0.0 Thread:083 TS:00 %IPSEC-3-REPLAY_ERROR: IPSec SA receives anti-replay error, DP Handle 2770, src_addr >, dest_addr , SPI 0x293 2. cpp_cp logs like anti-replay drop on sa=0x1xxxx, src dst , spi 3855/(0xf0f), ip_id 43798, sns_idx 0, seq_no=5, ar_highest=2554 seq_no is very low comparing to the ar_highest.
May happen after CC flap on WAN interface and port-hop.
clear sdwan omp all (on the router, that has low seq number)
Affecting devices with CSCwb07307 fix only. Seq_no could be verified without using cpp logs: step 1: collect "show platform hardware qfp active feature ipsec data crypto-sa in" on the router with IPSec anti-replay logs step 2: on the same peer collect "show platform hardware qfp active feature ipsec data crypto-sa " step 3: collect "show platform hardware qfp active feature ipsec data crypto-sa out" on the remote router step 4: on the same peer collect "show platform hardware qfp active feature ipsec data crypto-sa " Difference between ar_numbers on steps 2 and 4 wil be above 8K.
Click on a version to see all relevant bugs
Cisco Integration
Learn more about where this data comes from
Bug Scrub Advisor
Streamline upgrades with automated vendor bug scrubs
BugZero Enterprise
Wish you caught this bug sooner? Get proactive today.