crazy a bunch of router cards were crashing

“#show save” shows task: LP-IKE is responsible

BEGIN: show save
CONTEXT: MP
TIME-STAMP: 2155905152 milli sec since device started
============================================================
Active MP crash dump area clean
Standby MP crash dump area clean
========================================================================
NetIron XMR Crash Dump Version 1.1
Retrieved from Line Card on Slot 1

Module Type    : LP
Boot           : 05.09.00T175 xmlprm05900 built on Mar 19 2015 at 03:17:00
Monitor        : 06.00.00T175 xmlb06000 built on Jun  7 2016 at 16:09:50
System         : 06.00.00aT177 xmlp06000a built on Aug  6 2016 at 00:18:20
Current Task   : LP-IKE

Created on     : 22:41:45 Pacific Sun Sep 18 2016

System had been up for 3 minutes

EXCEPTION 1200, Data TLB error

Task	:	LP-IKE

GP Registers
r0      : 21225980 3d592cd0 2166ccf0 65652035
r4      : 65652035 00000000 00000020 00000000
r8      : 3d592e5c 3d592e5f 04962000 00000000
r12     : 0000009f 21ced470 00000000 00000000
r16     : 00000000 00000000 00000000 00000000
r20     : 00000001 ffffffff 04a25200 00000000
r24     : 21cc49dc 04960000 00000000 00000000
r28     : 65652035 00000000 00000000 00000000

here is a quick fix.

 

Fixes in image will be released tomorrow 2016-09-20

 

NOTE: If customer has active IPSec traffic in the network, DO NOT USE this ACL. We don’t have 100% proof but they may not be hitting this defect.

 

ip access-list extended BLOCK_IKE

deny udp any any eq isakmp

deny udp any any eq 4500

permit ip any any

!

ip access-list extended PERMIT_ANY

permit ip any any

 

ip receive access-list BLOCK_IKE sequence 5

ip receive access-list PERMIT_ANY sequence 99

ip receive access-list enable-deny-logging

 

  • If the customer is already using receive ACLs they might want to skip seq 99 and also “permit ip any any” line in BLOCK_IKE ACLs
  • To verify the packets blocked:

sh access-list receive accounting name BLOCK_IKE

  • The ACL was successfully tested in TAC lab for about an hour against the IKE capture from **** that otherwise causes LP1 crash.

Leave a Reply

Your email address will not be published. Required fields are marked *

Post Navigation