crazy a bunch of router cards were crashing
“#show save” shows task: LP-IKE is responsible
BEGIN: show save CONTEXT: MP TIME-STAMP: 2155905152 milli sec since device started ============================================================ Active MP crash dump area clean Standby MP crash dump area clean ======================================================================== NetIron XMR Crash Dump Version 1.1 Retrieved from Line Card on Slot 1 Module Type : LP Boot : 05.09.00T175 xmlprm05900 built on Mar 19 2015 at 03:17:00 Monitor : 06.00.00T175 xmlb06000 built on Jun 7 2016 at 16:09:50 System : 06.00.00aT177 xmlp06000a built on Aug 6 2016 at 00:18:20 Current Task : LP-IKE Created on : 22:41:45 Pacific Sun Sep 18 2016 System had been up for 3 minutes EXCEPTION 1200, Data TLB error Task : LP-IKE GP Registers r0 : 21225980 3d592cd0 2166ccf0 65652035 r4 : 65652035 00000000 00000020 00000000 r8 : 3d592e5c 3d592e5f 04962000 00000000 r12 : 0000009f 21ced470 00000000 00000000 r16 : 00000000 00000000 00000000 00000000 r20 : 00000001 ffffffff 04a25200 00000000 r24 : 21cc49dc 04960000 00000000 00000000 r28 : 65652035 00000000 00000000 00000000
here is a quick fix.
Fixes in image will be released tomorrow 2016-09-20
NOTE: If customer has active IPSec traffic in the network, DO NOT USE this ACL. We don’t have 100% proof but they may not be hitting this defect.
ip access-list extended BLOCK_IKE
deny udp any any eq isakmp
deny udp any any eq 4500
permit ip any any
ip access-list extended PERMIT_ANY
permit ip any any
ip receive access-list BLOCK_IKE sequence 5
ip receive access-list PERMIT_ANY sequence 99
ip receive access-list enable-deny-logging
- If the customer is already using receive ACLs they might want to skip seq 99 and also “permit ip any any” line in BLOCK_IKE ACLs
- To verify the packets blocked:
sh access-list receive accounting name BLOCK_IKE
- The ACL was successfully tested in TAC lab for about an hour against the IKE capture from **** that otherwise causes LP1 crash.