guruprasadr Thu, 07/10/2008 - 03:23
User Badges:
  • Gold, 750 points or more

HI Rao, [Pls RATE if HELPS]


Cisco has declared the Issue to be a BUG. Please read the Complete BUG Report collected from Site:


Please log a new Trouble Ticket with CISCO and identify is your IOS Version c7200p-advsecurityk9-mz.124-15.T3.bin is also Impacted by RRI ?


CSCsm13389 Bug Details

========================


RRI is not called be if QM rekey timer expiry forces SA deletion

Symptoms:

==========

It may be possible for a RRI created route to be left behind even after the

associated IPsec SAs have been removed.


Conditions:

============

It is observed in Cisco IOS 12.2 versions supporting the VPNSM or SPA. This

situation can occur if connectivity is lost between peers prior to an attempted

IPsec (phase 2) SA rekey. If DPD has not detected a failure between the peers

and traffic is not being sent, the first indication that the tunnel is down

will occur when a rekey is required. Once the rekey timers have expired the

old SAs are removed, but RRI was not being called in this scenario.


Workaround:

============

Use DPD in such a way as to know if a tunnel is down prior to needing a rekey.

Aggressive rekey intervals on links with questionable reliability is not

recommended

Related Bug Information

=========================

RRI route stay in routing table even IPSEC SA deleted.

Symptoms:- RRI route is not deleted from routing table even IPSEC SAs are not active. Condition:- It is being observed in 6500/7600 running 12.2SRA code when using dynamic crypto map in 6500/7600 configuration doesn't delete RRI route even Phase 2 SAs are deleted..


Workaround:- "Clear crypto session" clears the RRI route from routing table.

Hope I am Informative


PLS RATE if HELPS => Use the RATING System


Best Regards,


Guru Prasad R


Actions

This Discussion