Launching soon: The world's first vendor agnostic bug scrubLearn more & join waitlist
OPERATIONAL DEFECT DATABASE
...
...
Without any debugs enabled, the router sees memory dump outputs that appear to be HTTP methods: FFFF7936E8E4: 47455420 2F62696E 2F7A6874 7470642F GET /bin/zhttpd/ FFFF793BB964: 0E000000 00000000 ........ FFFF793BB974: 00000000 00000000 62626262 30313030 ........bbbb0100 FFFF793BB984: 30303030 3031 000001 FFFF7932BDA4: 504F5354 202F7363 POST /sc FFFF7932BDC4: 48545450 2F312E31 0D0A436F 6E74656E HTTP/1.1..Conten FFFF7932BDD4: 742D4C65 6E677468 t-Length ... Users may see a number of crypto/VPN-related syslogs simultaneously: %CRYPTO-5-IKMP_SETUP_FAILURE: IKE SETUP FAILED for local:xx.xx.xx.xx local_id:xx.xx.xx.xx remote:xx.xx.xx.xx remote_id:xx.xx.xx.xx IKE profile:None fvrf:None fail_reason:Peer lost fail_class_cnt:1 %CRYPTO-4-RECVD_PKT_INV_SPI: decaps: rec'd IPSEC packet has invalid spi for destaddr=xx.xx.xx.xx, prot=xx, spi=0xXXXXXXXX(XXXXXXXXXX), srcaddr=xx.xx.xx.xx, input interface=GigabitEthernetx/y/z %CRYPTO-5-IKMP_SETUP_FAILURE: IKE SETUP FAILED for local:xx.xx.xx.xx local_id:xx.xx.xx.xx remote:xx.xx.xx.xx remote_id:xx.xx.xx.xx IKE profile:None fvrf:None fail_reason:Peer lost fail_class_cnt:1 %CRYPTO-4-RECVD_PKT_INV_SPI: decaps: rec'd IPSEC packet has invalid spi for destaddr=xx.xx.xx.xx, prot=xx, spi=0xXXXXXXXX(XXXXXXXXXX), srcaddr=xx.xx.xx.xx, input interface=GigabitEthernetx/y/z %CRYPTO-4-RECVD_PKT_INV_SPI: decaps: rec'd IPSEC packet has invalid spi for destaddr=xx.xx.xx.xx, prot=xx, spi=0xXXXXXXXX(XXXXXXXXXX), srcaddr=xx.xx.xx.xx, input interface=GigabitEthernetx/y/z
This particular memory dump occurs within SSL VPN processing, so that functionality needs to be enabled on the router in order to encounter this issue. As the memory dump occurs in an SSL VPN error state, simply having the feature configured will not necessarily result in this behavior. The device would need to be in the corresponding SSL VPN error state.
There is no impact from these debug messages. Users can simply ignore the logs or work to address the underlying SSL VPN issues that lead to the code path that dumps this memory.
Through traceback analysis, a list of functions leading up to the memory dump was determined. They show SSL VPN processing leading up to the memory dump. Through code analysis, it appears the router reaches this code flow when there is an error parsing an SSL record. The router ends up in SSL VPN handling code, and there is a function to dump memory that is not properly wrapped in a debug. Other nearby debugs are properly handled so that they don’t appear unless the corresponding "debug" is enabled. Looking through the nearby code, the "debug crypto ssl data" debug may be helpful in isolating any underlying VPN issues as the router should land in that code flow in order to get to the problematic memory dump function call.