[c-nsp] RSP720 dropping ipsec packets

Kevin Loch kloch at kl.net
Mon Sep 12 22:54:47 EDT 2011


Is anyone else having problems forwarding ipsec packets through
a 7600/rsp720?  I'm referring to protocol 50 (ESP) packets routed
through the router (no ipsec configured on the router itself). It seems
that all IOS versions released after SRD4 have a "feature" where all
protocol 50 (ESP) packets are punted to the rp.  Sometimes they are
forwarded by the rp, sometimes not.  This does not affect udp port 500
(ike) or any other forwarded traffic through the router just esp.

The typical failure mode is a vpn tunnel that will randomly stop working
and then remain broken  Sometimes changing the ingress or egress
interface will make it work for a while. There may be some correlation
with using port-channel interfaces for ingress or egress but the problem
is not consistent enough to be sure. Obviously it is very bad to have
all ipsec packets sent to the rp regardless of whether they are
forwarded or not.

I have seen this on SRD6 and SRE4.  SRD4 works and seems to predate
the code changes that caused this bug.

bug-id CSCtk47461 seems related to this but claims it was fixed:

1st Found-In
12.2(33)SRE2
12.2(33)SRD5


Fixed-In
15.0(1)S2.11
12.2(33.2.20)SRE
15.1(1.22)S
15.1(1)S0.4
12.2(33)SRE3
15.1(1)S1
15.0(1)S3a

In SRD5 "show ibc" includes a new field "IPSEC pkts dropped:" which was
incrementing rapidly on my problem routers. SRE4 includes a slightly
different label "IPSEC pkts:" which still increments.  There should not
be many ipsec packets hitting the rp on this router, if any.

Here is an earlier thread on this issue for reference:
http://www.gossamer-threads.com/lists/cisco/nsp/143296


- Kevin


More information about the cisco-nsp mailing list