08-13-2012 11:20 PM - edited 02-21-2020 06:16 PM
Hi all,
after updating the ASR1004 Router to ROMMON 15.2(1r)S and IOS-XE 03.06.02.S, i get the following error messages:
%IOSXE-3-PLATFORM: F0: cpp_cp: QFP:0.0 Thread:101 TS:00000059590688361391 %IPSEC-3-HMAC_ERROR: IPSec SA receives HMAC error, DP Handle 5449
Does anybody know, what's the matter with this errors?
Thanks in advance,
Norbert
Solved! Go to Solution.
08-14-2012 12:20 AM
Norbert,
It means packet was recived which failed HMAC verification.
If you upgrade to a version containing this fix:
you will get more information about packets like this.
Marcin
08-14-2012 12:20 AM
Norbert,
It means packet was recived which failed HMAC verification.
If you upgrade to a version containing this fix:
you will get more information about packets like this.
Marcin
08-14-2012 01:23 AM
Hi Marcin,
thanks a lot for your answer. I have found this Bug-ID too in the meantime ;-).
Sadly there is no fixed version available at this time...i will save the Bug-ID to my watchlist.
Thanks,
N.
08-14-2012 11:03 PM
Norbert,
I think it's something not populated properly in bug toolkit.
I just discussed this with people involved in commiting the fix, they mentioned it should be available in 3.7.
Marcin
08-16-2012 07:19 AM
Hey Marcin,
thank you for this hint. Is this an internal information only, since i cannot find anything related in the release notes....moreover i cannot find the release notes for 3.7.0S nor 3.6.2S ;-)
N.
08-16-2012 08:01 AM
Norbert,
3.6 and 3.7 release notes
http://www.cisco.com/en/US/docs/routers/asr1000/release/notes/asr1k_feats_important_notes_37s.html
M.
08-17-2012 05:27 AM
Marcin,
thank you for the link. I only have looked via the Release Notes link in the download center and this link may not be up to date...
In the caveats section for 3.6.x or 3.7.0 there is no mention about the CSCtw69096 Bug ID.
I think it would be best to wait for 3.7.1 and see if the Bug is "officially" fixed in this version, isn't it?
N.
08-17-2012 05:43 AM
Norbert,
That's completly up to you, I think there is some problem with populating the fields.
Will check with guys on our side.
3.7.1 is stil some time off ;-)
M.
08-31-2012 01:40 AM
Hi Marcin,
I have updated the box to 03.07.00.S, but there are still those error messages ;-(
004700: Aug 31 10:29:00: %CRYPTO-4-RECVD_PKT_INV_SPI: decaps: rec'd IPSEC packet has invalid spi for destaddr=x.x.x.x, prot=50, spi=0xD36837A4(3546822564), srcaddr=x.x.x.x, input interface=Tunnelxxx
08-31-2012 01:44 AM
Norbert,
Well if you look at the post which you marked as the one that helped you - I only mention that it gives more information about traffic causing thise problem :-)
Regardless. Check if SPI is a vlid SPI under tunelxxx
show crypto ipsec sa interface tunnelxxx | i 0xD36837A4
Should give you the output... if the SPI is wrong - well most likely remote end sending traffic with wrong SPI.
If not it could be a problem with programming.
M.
08-31-2012 02:17 AM
Hi again,
im sorry, i have pasted the wrong error message ;-).
But for this message i have looked and the SPIs are ident for both ends (inbound to outpound, outbound to inbound).
The other old error message which is still there is:
004711: Aug 31 10:59:02: %IOSXE-3-PLATFORM: F0: cpp_cp: QFP:0.0 Thread:120 TS:00000038984716821310 %IPSEC-3-HMAC_ERROR: IPSec SA receives HMAC error, DP Handle 3626, src_addr x.x.x.x, dest_addr x.x.x.x, SPI 0x3e92bee4
This "cosmetic" message should have been solved in 3.7. isnt it?
Thx,
N.
08-31-2012 02:19 AM
Norbert,
so they are identical and equal to
0x3e92bee4 ?
M.
08-31-2012 02:27 AM
The two error messages have nothing to do with each other i think.
Router A:
RouterA#sh crypto ipsec sa int Tunnelxxx | in spi
current outbound spi: 0xF854D536(4166309174)
spi: 0x3E92BEE4(1049804516)
spi: 0xF854D536(4166309174)
Router B:
RouterB#sh crypto ipsec sa int Tunnelyyy | inc spi
current outbound spi: 0x3E92BEE4(1049804516)
spi: 0xF854D536(4166309174)
spi: 0x3E92BEE4(1049804516)
SPIs match. And the same for the other error message.
08-31-2012 02:34 AM
Norbert,
Looks indeed cosmetic or an error while formulating error message.
Do you mind opening a TAC case so we can investigate?
M.
Discover and save your favorite ideas. Come back to expert answers, step-by-step guides, recent topics, and more.
New here? Get started with these tips. How to use Community New member guide