Launching soon: The world's first vendor agnostic bug scrubLearn more & join waitlist
OPERATIONAL DEFECT DATABASE
...
...
Topology as described below: [branch4-gw1 or gw2]-----[HUB DC4-gw1] ----[sim1 to sim6 in parallel] DUT cat8300 DUT cat8500 ASR1002-HX First of all, traffic between DMVPN hub and spokes are working fine. For traffic between DMVPN spokes we enabled NHRP phase 3 shortcut. As one pair of device under test (DUT), we have two cat8300 (named branch4_gw1 and branch4_gw2) simulating one branch site, each of them established over 1020 NHRP phase 3 shortcuts with 6 branch simulators (simulator is ASR1002-HX). The routing protocol is BGP for the overlay and BFD (hardware offloading, non-echo mode) is enabled for BGP sessions. To achieve >1000 NHRP shortcuts on each cat8300, each sim router will have 100 or 200 NHRP shortcuts built with each DUT Cat8300. This is based on hub-spoke IPSEC/IKE sessions they already have with dc4_gw1/gw2 (Cat8500 and ASR1009X RP3/ESP200X). So please see DMVPN session counts on each device documented by below matrix table. When we launch the traffic flows to trigger shortcuts to be built between branch4_gw1/gw2 and sim routers. After some time ( can be 15-30mins or so), we can see some BFD sessions start flapping randomly, and re-established right after session being destroyed. May 23 16:07:13.717: %BFD-6-BFD_SESS_DESTROYED: BFD-SYSLOG: bfd_session_destroyed, ld:3851 neigh proc:NHRP, handle:463 active May 23 16:07:15.127: %BFD-6-BFD_SESS_CREATED: BFD-SYSLOG: bfd_session_created, neigh 10.200.129.74 proc:NHRP, idb:Tunnel1000 handle:496 act May 23 16:07:15.490: %CRYPTO-4-RECVD_PKT_INV_SPI: decaps: rec'd IPSEC packet has invalid spi for destaddr=192.168.153.1, prot=50, spi=0x3C20E757(1008789335), srcaddr=192.168.193.81, input interface=Tunnel1000 May 23 16:07:16.099: %BFDFSM-6-BFD_SESS_UP: BFD-SYSLOG: BFD session ld:3908 handle:520 is going UP May 23 16:07:20.227: %BFD-6-BFD_SESS_CREATED: BFD-SYSLOG: bfd_session_created, neigh 10.200.129.183 proc:NHRP, idb:Tunnel1000 handle:102 act May 23 16:07:21.271: %BFDFSM-6-BFD_SESS_UP: BFD-SYSLOG: BFD session ld:358 handle:944 is going UP May 23 16:11:12.963: %BFD-6-BFD_SESS_DESTROYED: BFD-SYSLOG: bfd_session_destroyed, ld:3890 neigh proc:NHRP, handle:502 active May 23 16:11:13.040: %CRYPTO-4-RECVD_PKT_INV_SPI: decaps: rec'd IPSEC packet has invalid spi for destaddr=192.168.153.1, prot=50, spi=0x8B575FA4(2337759140), srcaddr=192.168.193.85, input interface=Tunnel1000
When scaled DMVPN nhrp phase 3 shortcuts are built between catalyst 8300 device and ASR1002-HX as scale router simulators. The scale for nhrp phase 3 shortcuts tested on catalyst 8300 is 1023.
No known workaround.
None.