After hitting a really bad bug in IOS XE related to GetVPN we got today a new IOS version from Cisco for tests. Cisco now recommends to make a big jump to IOS 15.1.(1)S1. This release is quit fresh from February this year, but basically the only choice we have to avoid further crashes caused by GetVPN.
What happend: We did a lot of tests with GetVPN firstin GNS3 network simulator, later with ASR spare equipment and later in a lab – all tests went good without crashes. Now it was time to smoothly enable GetVPN/encryption in our MPLS as a site by site rollout. In the middle of this process we had to update the encryption ACL (this central managed ACL which defines the traffic for encryption). So far so good. In our tests we did this several time without any issue. This time the ACL got modified and the central key server router pushed the updated ACL out to all GetVPN group members and triggered a rekey. Just in this second two of our ASR1006 crashed and rebooted. Unfortunatly this happend to the primary and secondary router of one of our data centers at the same time. Definetly a „black day“ and an outage for some seconds, because the redundant route processor of the ASR took over.
After crash debug we now have with version 15.1(1)S1 a new candidate to „try“. I will test this new image within the next days at spare equipment as well as at some less critical office sites and see how stable it is. The bug scrap still has some issues listed, which makes me feel bad, but we will see…
No Comments