Buy or Renew
Buy or Renew
cancel
Turn on suggestions
Auto-suggest helps you quickly narrow down your search results by suggesting possible matches as you type.
Showing results for 
Search instead for 
Did you mean: 
cancel
Start a conversation
2037
Views
0
Helpful
8
Replies

Hmac Error on DMVPN Routers using ESP-SHA-HMAC

dganta
Level 1
Level 1

‎06-25-2017 03:40 PM - edited ‎03-05-2019 08:45 AM

HI Team,

recieving the following errors in DMVPN with ESP-SHA512-HMAC, not sure why we are getting these errors though the traffic does not seem to be impacted. We are specifically recieving these error in DMVPN spokes

010240: *Jun 25 2017 21:57:54.645 UTC: %IOSXE-3-PLATFORM:cpp_cp: QFP:0.0 Thread:001 TS:00000864007532800199 %IPSEC-3-HMAC_ERROR: IPSec SA receives HMAC error, DP Handle 14, src_addr 10.1.1.1, dest_addr 10.2.2.2, SPI 0xbefe39f2

Please let me know what does the above error indicates and how do we get rid of these errors.

Thanks,

Dinesh

Labels:
0 Helpful
8 Replies 8

Philip D'Ath
VIP Alumni
VIP Alumni

‎06-25-2017 03:57 PM

I would move the platform onto a gold star release of code.  What model device is this, and what software version is it running at the moment?

0 Helpful

dganta
Level 1
Level 1
In response to Philip D'Ath

‎06-25-2017 04:00 PM

Hi Philip,

This is 4300 and 4400 ISR G2 routers running the version 03.16.04b.S.155-3.S4b

Thanks,

Dinesh

0 Helpful

dganta
Level 1
Level 1
In response to Philip D'Ath

‎06-25-2017 04:28 PM

Hi Philip,

Yes understand recommended to move to a gold release but is this kind of a bug which has been identified in the previous release as I need to be sure that the upgrade will fix the issue as these routers are in production.

Also I cannot figure out what these errors actually indicate. Are they harmless will it impact traffic.

Thanks,

Dinesh

0 Helpful

Philip D'Ath
VIP Alumni
VIP Alumni
In response to dganta

‎06-25-2017 04:31 PM

This is the list of bug fixes.  The last one could be related to your issue.

Identifier
Description

CSCvb95663

NIM-2GE-CU-SFP: Cannot ping the GLBP Gateway IP.

CSCvb71936

Router may crash with "IOSXE-WATCHDOG: Process = HTTP CP" when running command show running-config with search option such as in below examples:

  • show running-config | include service-insertion swap src-ip
  • show running-config | section interface

CSCvc03634

Cisco 4300 ISRcrashes with following error message:

%PMAN-3-PROCFAIL: SIP2: pman.sh: The process bsm has failed (rc 139)

CSCvc08339

Cisco 4331 ISR with NIM-1MFT-T1/E1 and Frame-relay circuit does not come up.

CSCuz51603

Multicast crashed with an invalid leaf pointer.

CSCuz20847

Cisco 4000 ISR creates VLAN 1 interface on bootup.

CSCvc13910

Cisco 4400 ISR: password recovery mode is not getting properly cleared.

CSCvb70539

NIM-ES2 duplex mismatches after there is a change in speed auto.

CSCvb44279

Cisco 4451 ISR provides incorrect values for traffic in subinterfaces.

CSCva31303

Cisco 44xx ISR cannot send large, fragmented or reassembled packets into containers.
0 Helpful

dganta
Level 1
Level 1
In response to Philip D'Ath

‎06-25-2017 04:42 PM

Thank you Philip for your replies. Will consider upgrading the image and see whether that makes any difference

0 Helpful

Philip D'Ath
VIP Alumni
VIP Alumni
In response to dganta

‎06-25-2017 04:38 PM

Often it means that the affected traffic has been dumped.  If you are not noticing it then a TCP re-transmit is probably covering it up.

0 Helpful

Philip D'Ath
VIP Alumni
VIP Alumni
In response to dganta

‎06-25-2017 04:33 PM

There are references to a bug when MD5 is being used.  Are you using MD5 (I hope not - it has not been a secure choice for some time)?

0 Helpful
Customers Also Viewed These Support Documents