Launching soon: The world's first vendor agnostic bug scrubLearn more & join waitlist
OPERATIONAL DEFECT DATABASE
...
...
FTDM process may crash while running performance/scale testing. cEdge device will have control connections but BFD sessions will be down.
This crash was seen during performance/scale testing. The cEdge device will have control connections up. There will be some BFD sessions that will be in the down state. When you check the following commands on both devices with the down BFD sessions, the SPI on the Local device will not match the Outbound SPI on the remote device. - show sdwan ipsec local-sa - show platform software sdwan R0 internal "ttm tlocs" | inc TLOC:|spi In a working scenario, you will see the local-sa SPI match the SPI on the remote side: cEdge1: show sdwan ipsec local-sa SOURCE SOURCE SOURCE TLOC ADDRESS TLOC COLOR SPI IPv4 IPv6 PORT KEY HASH ---------------------------------------------------------------------------------------------------------------------- 5.5.5.3 biz-internet 278<<<< 192.168.30.111 :: 32722 *****fd45 show platform software sdwan R0 internal "ttm tlocs" | inc TLOC:|spi TLOC: 4.4.4.4 : biz-internet : ipsec, Origin: REMOTE, Index: 32771, Carrier: 1, LR Enabled: 0, LR hold time: 0 Encap: ipsec-tunnel, Integrity: ip-udp-esp esp(0x98), encrypt: aes256(0xc), spi 307 TLOC: 5.5.5.1 : public-internet : ipsec, Origin: REMOTE, Index: 32773, Carrier: 1, LR Enabled: 0, LR hold time: 0 Encap: ipsec-tunnel, Integrity: ip-udp-esp esp(0x98), encrypt: aes256(0xc), spi 449 <<<< This matches the SPI on cEdge2 output 'show sdwan ipsec local-sa' Remote Device: cEdge2: show sdwan ipsec local-sa SOURCE SOURCE SOURCE TLOC ADDRESS TLOC COLOR SPI IPv4 IPv6 PORT KEY HASH ---------------------------------------------------------------------------------------------------------------------- 4.4.4.4 biz-internet 307<<<< 192.168.18.184 :: 32722 *****598d show platform software sdwan R0 internal "ttm tlocs" | inc TLOC:|spi TLOC: 4.4.4.4 : biz-internet : ipsec, Origin: LOCAL, Index: 32786, Carrier: 1, LR Enabled: 0, LR hold time: 7000 Encap: ipsec-tunnel, Integrity: ip-udp-esp esp(0x98), encrypt: aes256(0xc), spi 307 TLOC: 5.5.5.1 : mpls : ipsec, Origin: REMOTE, Index: 32780, Carrier: 1, LR Enabled: 0, LR hold time: 0 Encap: ipsec-tunnel, Integrity: ip-udp-esp esp(0x98), encrypt: aes256(0xc), spi 446 TLOC: 5.5.5.1 : public-internet : ipsec, Origin: REMOTE, Index: 32783, Carrier: 1, LR Enabled: 0, LR hold time: 0 Encap: ipsec-tunnel, Integrity: ip-udp-esp esp(0x98), encrypt: aes256(0xc), spi 449 TLOC: 5.5.5.3 : biz-internet : ipsec, Origin: REMOTE, Index: 32784, Carrier: 1, LR Enabled: 0, LR hold time: 0 Encap: ipsec-tunnel, Integrity: ip-udp-esp esp(0x98), encrypt: aes256(0xc), spi 278 <<<< This matches the SPI on cEdge1 output 'show sdwan ipsec local-sa' In a non-working scenario, the SPIs will not match on another.
Reboot the device. Solution - Upgrade to a known fixed version.
Will impact all cedge platforms. To fully validate you are being impacted, perform the following commands on the device(s) and generate an admin tech with all 3 boxes checked (Log, Core, and Tech). Open a TAC case and upload the admin tech(s) to the case.