Strangest IPSec thing...

Discussion in 'Cisco' started by Ivan Ostreš, Feb 7, 2005.

  1. Ivan Ostreš

    Ivan Ostreš Guest

    Have anyone ever seen an SA sourced by intefrace that is in down
    status??

    Let's me explain in more depth: Let's assume I have two locations and
    have an IPSec tunnel between. When going to backup link, IPSec drops (it
    is normal thing because of too big delay of switching to backup path),
    and when it (IPSec tunn) tries to comes up again (trough backup
    interface) there are SA's sourced by main interface which is in "down"
    state....

    Routers are 7200's....

    I got this as a feedback from our operation guys so not 100% sure it is
    happening for real, but I'm trying to catch that event myself to get
    some evidence.

    In the meantime, anyone have seen this before???

    --
    -Ivan.

    *** Use Rot13 to see my eMail address ***
     
    Ivan Ostreš, Feb 7, 2005
    #1
    1. Advertising

  2. Ivan Ostreš

    Hansang Bae Guest

    Ivan Ostre wrote:

    >
    > Have anyone ever seen an SA sourced by interface that is in down
    > status??


    This is one of the bugs that we found. It turns out that IPSec engine
    'trusts" the router. i.e. it's just an app running on the router. So
    it expects the router to *not* use the packet if it's sourced from a
    down interface. Turns out, this doesn't happen. It will happily use
    the IP from a downed interface.

    >
    > Let's me explain in more depth: Let's assume I have two locations and
    > have an IPSec tunnel between. When going to backup link, IPSec drops
    > (it is normal thing because of too big delay of switching to backup
    > path), and when it (IPSec tunn) tries to comes up again (trough
    > backup interface) there are SA's sourced by main interface which is
    > in "down" state....
    >
    > Routers are 7200's....


    We saw this on the 7200's too.


    > I got this as a feedback from our operation guys so not 100% sure it
    > is happening for real, but I'm trying to catch that event myself to
    > get some evidence.
    > In the meantime, anyone have seen this before???



    You have a decent ops team if they spotted this! If I were in the
    office, I could give you the exact TAC case number that we filed. I
    *thought* it was fixed in 12.2.24 (or perhaps 12.2.19(E4)/(E5)



    --

    hsb


    "Somehow I imagined this experience would be more rewarding" Calvin
    **************************ROT13 MY ADDRESS*************************
    Due to the volume of email that I receive, I may not not be able to
    reply to emails sent to my account. Please post a followup instead.
    ********************************************************************
     
    Hansang Bae, Feb 8, 2005
    #2
    1. Advertising

  3. Ivan Ostreš

    Ivan Ostreš Guest

    In article <j7XNd.348$>,
    says...
    > You have a decent ops team if they spotted this! If I were in the
    > office, I could give you the exact TAC case number that we filed. I
    > *thought* it was fixed in 12.2.24 (or perhaps 12.2.19(E4)/(E5)
    >
    >


    Well, my OPS team is pretty good, but on this, it was not a big trouble
    to spot this since IPSec never got up on backup int because other router
    rejected SA packets from address that it doesn't have a route to it. (of
    course, because interface was "down").

    I have to admit that I just hoped that they wrong, but it looks like
    shit really happens...

    Well, on this router IOS is much lower than 12.2.19 so we'll just have
    to upgrade it.


    --
    -Ivan.

    *** Use Rot13 to see my eMail address ***
     
    Ivan Ostreš, Feb 8, 2005
    #3
  4. Ivan Ostreš

    Ivan Ostreš Guest

    In article <>,
    says...
    > In article <j7XNd.348$>,
    > says...
    > > You have a decent ops team if they spotted this! If I were in the
    > > office, I could give you the exact TAC case number that we filed. I
    > > *thought* it was fixed in 12.2.24 (or perhaps 12.2.19(E4)/(E5)
    > >
    > >

    >
    > Well, my OPS team is pretty good, but on this, it was not a big trouble
    > to spot this since IPSec never got up on backup int because other router
    > rejected SA packets from address that it doesn't have a route to it. (of
    > course, because interface was "down").
    >
    > I have to admit that I just hoped that they wrong, but it looks like
    > shit really happens...
    >
    > Well, on this router IOS is much lower than 12.2.19 so we'll just have
    > to upgrade it.
    >
    >
    >


    Some update to this. It seems that consultant that implemented this did
    not done prescribed formal testing of the solution. The problem was that
    just "some" production traffic is encryped while other (mostly internet)
    traffic is not. When he was testing, he used "ping" which is not
    encrypted and he tought everything is working just because he got pings
    back after bringing up the backup interface.

    Nobody ever tested backup using some production traffic (that should be
    encrypted) so, error was not seen until main link died for the first
    time (few days ago).

    Bug would be found before putting solution into production if testing
    was right. And yes, after upgrade, bug is not present anymore.

    Conclusion: bugs are not that big problem if human factor doesn't make
    mistakes at testing the solution...

    --
    -Ivan.

    *** Use Rot13 to see my eMail address ***
     
    Ivan Ostreš, Feb 9, 2005
    #4
    1. Advertising

Want to reply to this thread or ask your own question?

It takes just 2 minutes to sign up (and it's free!). Just click the sign up button to choose a username and then you can ask your own questions on the forum.
Similar Threads
  1. David

    IPSec vs. L2TP/IPsec vs. PPTP

    David, Jan 7, 2004, in forum: Cisco
    Replies:
    0
    Views:
    6,809
    David
    Jan 7, 2004
  2. AM
    Replies:
    0
    Views:
    668
  3. AM
    Replies:
    1
    Views:
    593
  4. AM
    Replies:
    0
    Views:
    476
  5. KlausK

    Strangest Wireless Problem I've Ever Seen

    KlausK, Jun 15, 2008, in forum: Wireless Networking
    Replies:
    5
    Views:
    443
    smlunatick
    Jun 16, 2008
Loading...

Share This Page