Solved: Re: GETVPN strange issue- question

mguzman4158 · ‎06-14-2019

Hello all,

getvpn was implemented 4 years ago and about 120 routers are participating. Every year or so some routers will stop decryption/encryption ingress & egress traffic. They show registered to the key servers and have the correct ACL and everything seems normal. The encryption/decryption counter do go up, but very little. Forcing a re-key, clearing the crypto doesn't work even though router successfully registered again and downloads the correct acl. The only fix thus far has been to power cycle the affected routers. I cannot run any debugs commands because they need to be asap.

The only thing in the logs I've been able to see that is consistent thru out all the affected routers is:

REPLAY_ERROR_IPV6: IPSec SA receives anti-replay error, DP Handle 5, ipv6 src_addr D9D6:7B50:4500:11B:2F00::7E11:8133, ipv6 dest_addr A17:776F:A0F:A:EBBB:185:107:FC8E, SPI 0x76551875

I was not able to find anything relevant and TAC didn't find anything either - I'm not running any ipv6.

Has anyone experienced this? I know it doesn't happened often, but when it does is very visible in my environment. I would like to take preventive measures if possible.

Thanks in advance for your replies.

Georg Pauwen · ‎06-14-2019

Hello,

I did find the bug below. I would suggest to upgrade the IOS to Everest 16.4/5/6, Fuji 16.7/8/9, or Gibraltar 16.10/11

GETVPN on IOS-XE: GM incorrectly drops packets due to TBAR failure
CSCut91647
Description
Symptom:
A Cisco ASR1000/ISR4400 series router acting as a Group Member in a GETVPN environment
may incorrectly drop traffic due to Time Based Anti-Replay failure. These drops are
identified with syslog messages like this:

%IOSXE-3-PLATFORM: F0: cpp_cp: QFP:0.0 Thread:023 TS:00000075738659277452 %IPSEC-3-REPLAY_ERROR: IPSec SA receives anti-replay error, DP Handle 4, src_addr xx.xx.aa.bb, dest_addr xx.xx.cc.dd, SPI 0xada39663

Note that these drops indicate IPv6 addresses although only IPv4 is enabled in the network

Conditions:
This problem is only seen when Time Based Anti-Replay is enabled in the GETVPN network.
Platforms that run IOS-XE are affected such as:
ASR1000 Series Routers
ISR4400 Series Routers

Workaround:
None at this time.

Known Fixed Releases: (11)
16.2(0.67)
15.5(3)SN
15.5(3)S1a
15.5(3)S1
15.5(3)S0a
15.5(3)S
15.5(2.24)S
15.5(2.21)S0.12
15.5(2.21)S0.4

View solution in original post

Georg Pauwen · ‎06-14-2019

Hello,

I would say these are either replay attacks, or a software bug. Which router models and IOS versions are affected ?

mguzman4158 · ‎06-14-2019

Hi Georg,

This are 4331's running Cisco IOS XE Software, Version 03.13.02.S

See reply from TAC:

"I also ran them through a script to detect vulnerabilities and known bugs but there was nothing relevant either. I also looked for bugs that matched your version and the behavior you described but there wasn’t anything that would be affecting like that"

I don't believe I'm the only one experiencing this.

Georg Pauwen · ‎06-14-2019

Hello,

I did find the bug below. I would suggest to upgrade the IOS to Everest 16.4/5/6, Fuji 16.7/8/9, or Gibraltar 16.10/11

GETVPN on IOS-XE: GM incorrectly drops packets due to TBAR failure
CSCut91647
Description
Symptom:
A Cisco ASR1000/ISR4400 series router acting as a Group Member in a GETVPN environment
may incorrectly drop traffic due to Time Based Anti-Replay failure. These drops are
identified with syslog messages like this:

%IOSXE-3-PLATFORM: F0: cpp_cp: QFP:0.0 Thread:023 TS:00000075738659277452 %IPSEC-3-REPLAY_ERROR: IPSec SA receives anti-replay error, DP Handle 4, src_addr xx.xx.aa.bb, dest_addr xx.xx.cc.dd, SPI 0xada39663

Note that these drops indicate IPv6 addresses although only IPv4 is enabled in the network

Conditions:
This problem is only seen when Time Based Anti-Replay is enabled in the GETVPN network.
Platforms that run IOS-XE are affected such as:
ASR1000 Series Routers
ISR4400 Series Routers

Workaround:
None at this time.

Known Fixed Releases: (11)
16.2(0.67)
15.5(3)SN
15.5(3)S1a
15.5(3)S1
15.5(3)S0a
15.5(3)S
15.5(2.24)S
15.5(2.21)S0.12
15.5(2.21)S0.4