Hello Xander

Benjamin Hofstetter · ‎06-23-2016

Hello All,

We discovered a waring in show hsrp trace as follows.

Jun 23 06:46:29.805 hsrp_unbulk 0/RSP0/CPU0 t1      Failed to receive packet: 'hsrp' detected the 'warning' condition 'Packet too long'

After somme investigations we reproduced the problem in our lab.

Summary:

If our ASR 9010 receives HSRP v2 Packets with MD5 Authentication it will produce this...

Failed to receive packet: 'hsrp' detected the 'warning' condition 'Packet too long'

...hsrp trace Warnings. The HSRP v2 Packes are sent by customer devices and not by our ASR9ks.

TL/DR

Lab Setup to Reproduce this issue:

ASR 9010 running Cisco IOS XR Software, Version 5.3.2

Catalyst 4500 running Cisco IOS-XE Software, Version 03.07.03.E

I connected ASR Interface gi0/0/1/1 to 4k5 interface gi1/2.

The the ASR config is as follows...

interface GigabitEthernet0/0/1/1
 description 01.r.cbn.ch.lab@Gi1/2
 ipv4 address 192.168.69.2 255.255.255.0
!
router hsrp
 interface GigabitEthernet0/0/1/1
  address-family ipv4
   hsrp 123
    preempt
    priority 100
    address 192.168.69.1
   !
  !
 !
!

and the 4k5 interface config ...

interface GigabitEthernet1/2
 no switchport
 ip address 192.168.69.10 255.255.255.0
 standby version 2
 standby 1000 ip 192.168.69.11
 standby 1000 preempt
 standby 1000 authentication md5 key-string akdjfadf
end

This configuration is small enough to show the problem. The ASR starts generating the Warnings in 'show hsrp trace'

Jun 23 07:06:49.540 hsrp_unbulk 0/RSP0/CPU0 t1      Failed to receive packet: 'hsrp' detected the 'warning' condition 'Packet too long'
Jun 23 07:06:52.109 hsrp_unbulk 0/RSP0/CPU0 t1      GigabitEthernet0/0/1/1#0x1000Discarding packet with length 72 bytes: 'hsrp' detected the 'warning' condition 'Packet too long'
Jun 23 07:06:52.109 hsrp_unbulk 0/RSP0/CPU0 t1      Failed to receive packet: 'hsrp' detected the 'warning' condition 'Packet too long'

HSRP v2 on the 4k5 without Authentication is OK

HSRP v2 on the 4k5 Plain-Text Authentication is OK

This issue is related to HSRP v2 with MD5 only.

The intention of my lab configuration was not to configure HSRP between my ASR and the 4k5. It is a minimal configuration to simulate two independent HSRP groups in the same VLAN. Like we have between our customer and our provider network.

I discovered HSRPv2 MD5 Authentication disappeared in IOS XR 4.3. May be this issue is related somehow. I searched Cisco Bug DB without any luck. Is it worth to open TAC Case for this? We think this issue does not have a traffic impact.

xthuijs · ‎06-30-2016

hi ben,

correct asr9000 doesn't support md5 authentication for hsrp, the cmd structure existed but got removed later on to prevent confusion.

"security" in hsrp is a bit of a joke using md5 passwords, as the pw config merely provides protection against accidental misconfiguration, the vulnarabilities of hsrp/vrrp are much bigger then "securing" the peers with pw's.

putting that aside, since the hsrp code does a lot of extensive validation checks on paks it receives, the md5 piece adds too much header to the packet making it fail the sanity checks.

don't think it is worth opening a tac case for this to be honest, currently there are no plans (or use) supporting md5 auth.

cheers

xander

Benjamin Hofstetter · ‎07-06-2016

Hello Xander

Thank you for your answer. As there is not traffic impact I just ignore this as a cosmetic issue.

Best regards,

Benjamin