Velocity Reviews - Computer Hardware Reviews

Velocity Reviews > Newsgroups > Computing > Cisco > Strangest IPSec thing...

Reply
Thread Tools

Strangest IPSec thing...

 
 
Ivan Ostreš
Guest
Posts: n/a
 
      02-07-2005

Have anyone ever seen an SA sourced by intefrace that is in down
status??

Let's me explain in more depth: Let's assume I have two locations and
have an IPSec tunnel between. When going to backup link, IPSec drops (it
is normal thing because of too big delay of switching to backup path),
and when it (IPSec tunn) tries to comes up again (trough backup
interface) there are SA's sourced by main interface which is in "down"
state....

Routers are 7200's....

I got this as a feedback from our operation guys so not 100% sure it is
happening for real, but I'm trying to catch that event myself to get
some evidence.

In the meantime, anyone have seen this before???

--
-Ivan.

*** Use Rot13 to see my eMail address ***
 
Reply With Quote
 
 
 
 
Hansang Bae
Guest
Posts: n/a
 
      02-08-2005
Ivan Ostre wrote:

>
> Have anyone ever seen an SA sourced by interface that is in down
> status??


This is one of the bugs that we found. It turns out that IPSec engine
'trusts" the router. i.e. it's just an app running on the router. So
it expects the router to *not* use the packet if it's sourced from a
down interface. Turns out, this doesn't happen. It will happily use
the IP from a downed interface.

>
> Let's me explain in more depth: Let's assume I have two locations and
> have an IPSec tunnel between. When going to backup link, IPSec drops
> (it is normal thing because of too big delay of switching to backup
> path), and when it (IPSec tunn) tries to comes up again (trough
> backup interface) there are SA's sourced by main interface which is
> in "down" state....
>
> Routers are 7200's....


We saw this on the 7200's too.


> I got this as a feedback from our operation guys so not 100% sure it
> is happening for real, but I'm trying to catch that event myself to
> get some evidence.
> In the meantime, anyone have seen this before???



You have a decent ops team if they spotted this! If I were in the
office, I could give you the exact TAC case number that we filed. I
*thought* it was fixed in 12.2.24 (or perhaps 12.2.19(E4)/(E5)



--

hsb


"Somehow I imagined this experience would be more rewarding" Calvin
**************************ROT13 MY ADDRESS*************************
Due to the volume of email that I receive, I may not not be able to
reply to emails sent to my account. Please post a followup instead.
************************************************** ******************
 
Reply With Quote
 
 
 
 
Ivan Ostreš
Guest
Posts: n/a
 
      02-08-2005
In article <j7XNd.348$(E-Mail Removed)>, http://www.velocityreviews.com/forums/(E-Mail Removed)
says...
> You have a decent ops team if they spotted this! If I were in the
> office, I could give you the exact TAC case number that we filed. I
> *thought* it was fixed in 12.2.24 (or perhaps 12.2.19(E4)/(E5)
>
>


Well, my OPS team is pretty good, but on this, it was not a big trouble
to spot this since IPSec never got up on backup int because other router
rejected SA packets from address that it doesn't have a route to it. (of
course, because interface was "down").

I have to admit that I just hoped that they wrong, but it looks like
**** really happens...

Well, on this router IOS is much lower than 12.2.19 so we'll just have
to upgrade it.


--
-Ivan.

*** Use Rot13 to see my eMail address ***
 
Reply With Quote
 
Ivan Ostreš
Guest
Posts: n/a
 
      02-09-2005
In article <(E-Mail Removed)> ,
(E-Mail Removed) says...
> In article <j7XNd.348$(E-Mail Removed)>, (E-Mail Removed)
> says...
> > You have a decent ops team if they spotted this! If I were in the
> > office, I could give you the exact TAC case number that we filed. I
> > *thought* it was fixed in 12.2.24 (or perhaps 12.2.19(E4)/(E5)
> >
> >

>
> Well, my OPS team is pretty good, but on this, it was not a big trouble
> to spot this since IPSec never got up on backup int because other router
> rejected SA packets from address that it doesn't have a route to it. (of
> course, because interface was "down").
>
> I have to admit that I just hoped that they wrong, but it looks like
> **** really happens...
>
> Well, on this router IOS is much lower than 12.2.19 so we'll just have
> to upgrade it.
>
>
>


Some update to this. It seems that consultant that implemented this did
not done prescribed formal testing of the solution. The problem was that
just "some" production traffic is encryped while other (mostly internet)
traffic is not. When he was testing, he used "ping" which is not
encrypted and he tought everything is working just because he got pings
back after bringing up the backup interface.

Nobody ever tested backup using some production traffic (that should be
encrypted) so, error was not seen until main link died for the first
time (few days ago).

Bug would be found before putting solution into production if testing
was right. And yes, after upgrade, bug is not present anymore.

Conclusion: bugs are not that big problem if human factor doesn't make
mistakes at testing the solution...

--
-Ivan.

*** Use Rot13 to see my eMail address ***
 
Reply With Quote
 
 
 
Reply

Thread Tools

Posting Rules
You may not post new threads
You may not post replies
You may not post attachments
You may not edit your posts

BB code is On
Smilies are On
[IMG] code is On
HTML code is Off
Trackbacks are On
Pingbacks are On
Refbacks are Off


Similar Threads
Thread Thread Starter Forum Replies Last Post
lisp toy: strangest warning I've seen luserXtrog C Programming 23 05-17-2009 09:22 AM
Strangest Wireless Problem I've Ever Seen KlausK Wireless Networking 5 06-16-2008 07:05 PM
Strangest damn error - database at fault? Neo Geshel ASP .Net 7 07-01-2005 08:51 AM
The strangest problem.... Jannick C Programming 27 10-17-2003 12:34 PM
Strangest Control behaviour ?! Emilio ASP .Net 1 10-15-2003 10:59 AM



Advertisments