[c-nsp] RSP720 dropping ipsec packets

Cassidy Larson alandaluz at gmail.com
Tue Sep 13 01:46:05 EDT 2011


Kevin,

I had the exact same problem. We actually swapped out our RSP720 for a
replacement.
Unfortunately, the second one exhibited the same problems.  Our third
RSP720 did not, however.
My vendor said he got both of the original two from the same dealer. I
wonder if there was a bad batch
of RSP720's or something.  Currently, we're running dual RSP720's on
two 7600s without the issue.
It was a nightmare to troubleshoot.

-c

On Mon, Sep 12, 2011 at 8:54 PM, Kevin Loch <kloch at kl.net> wrote:
> Is anyone else having problems forwarding ipsec packets through
> a 7600/rsp720?  I'm referring to protocol 50 (ESP) packets routed
> through the router (no ipsec configured on the router itself). It seems
> that all IOS versions released after SRD4 have a "feature" where all
> protocol 50 (ESP) packets are punted to the rp.  Sometimes they are
> forwarded by the rp, sometimes not.  This does not affect udp port 500
> (ike) or any other forwarded traffic through the router just esp.
>
> The typical failure mode is a vpn tunnel that will randomly stop working
> and then remain broken  Sometimes changing the ingress or egress
> interface will make it work for a while. There may be some correlation
> with using port-channel interfaces for ingress or egress but the problem
> is not consistent enough to be sure. Obviously it is very bad to have
> all ipsec packets sent to the rp regardless of whether they are
> forwarded or not.
>
> I have seen this on SRD6 and SRE4.  SRD4 works and seems to predate
> the code changes that caused this bug.
>
> bug-id CSCtk47461 seems related to this but claims it was fixed:
>
> 1st Found-In
> 12.2(33)SRE2
> 12.2(33)SRD5
>
>
> Fixed-In
> 15.0(1)S2.11
> 12.2(33.2.20)SRE
> 15.1(1.22)S
> 15.1(1)S0.4
> 12.2(33)SRE3
> 15.1(1)S1
> 15.0(1)S3a
>
> In SRD5 "show ibc" includes a new field "IPSEC pkts dropped:" which was
> incrementing rapidly on my problem routers. SRE4 includes a slightly
> different label "IPSEC pkts:" which still increments.  There should not
> be many ipsec packets hitting the rp on this router, if any.
>
> Here is an earlier thread on this issue for reference:
> http://www.gossamer-threads.com/lists/cisco/nsp/143296
>
>
> - Kevin
> _______________________________________________
> cisco-nsp mailing list  cisco-nsp at puck.nether.net
> https://puck.nether.net/mailman/listinfo/cisco-nsp
> archive at http://puck.nether.net/pipermail/cisco-nsp/
>



More information about the cisco-nsp mailing list