IPSec - router logs spurious RECVD_PKT_MAC_ERR messages , Fixed CSCsv43145

Symptom: A Cisco IOS router terminating an IPSec tunnel may log the following mac authentication errors: *Oct 31 18:25:58.943: %CRYPTO-4-RECVD_PKT_MAC_ERR: decrypt: mac verify failed for connection id=2001 local=10.1.1.2 remote=10.1.1.1 spi=9E092279 seqno=00000001 This is just cosmetic and should not have any functional impact.
Conditions: Router is an IPSec end point with ESP (Encapsulating Security Payload) authentication enabled.
Workaround: There is no known workaround at this time.

%SYS-2-BADSHARE: Traceback @datagram_done , Fixed CSCtb07338

Symptoms: A traceback may occur.
Conditions: This symptom is observed after a crypto map is removed and reapplied.
Workaround: Use software encryption.

Crash due to CPU Error CPU address out of range , Fixed CSCse96332

Symptom: A Cisco 7200 router with NPE-G2 may unexpectedly crash due to SegV exception crash
Conditions: Conditions are unknown at this time
Workaround:
Further Problem Description:

VSA:: %SYS-3-INVMEMINT: Invalid memory action (malloc) in stress-test , Open CSCta65018

Symptom: Tracebacks showing malloc failure in datapath.
Conditions: Only at high CPU stress
Workaround:

Router crashing at crypto_ikmp_hardware_check_and_send_dpd , Fixed CSCsy10608

Symptom: Router crashing once a day
Conditions: Unknown
Workaround: downgrade to 12.4(21)

DMVPN Ph3: NHRP registration issue and tunnel flapping 1 & 2 level hubs , Fixed CSCsz48914

Symptoms: Next Hop Resolution Protocol (NHRP) registration and tunnels are not up between first- and second-level hubs.
Conditions: Occurs in hierarchical topology.
Workaround: There is no workaround.

Bus error crash at rn_match part II , Fixed CSCta69213

Symptom: A Cisco router configured for NHRP may crash due to a bus error.
Conditions: Cisco router running IOS with the fix for CSCsv40340 configured for NHRP and DMVPN.
Workaround: None
Further Problem Description:

%SYS-2-GETBUF at Crypto PAS Proc when pkts dropped by ACL with VSA , Fixed CSCsr48828

Symptoms: A Cisco router may display the following traceback: %SYS-2-GETBUF
Conditions: The symptom occurs when ACLs are configured on the WAN interfaces of the router. When outbound packets fail and are dropped on an outbound ACL, a traceback is generated. If the packets are stopped or the ACLs removed, the tracebacks stop. The problem is seen with the VSA accelerator, but not seen when software crypto is used.
Workaround: There is no workaround.

Sup Crash on several locations with IP SEC config , Open CSCtc79335

Symptom: SUP crashed on several sites
Conditions: Suspect the IPSEC VPN config.
Workaround:
Further Problem Description:

Bus error crash at rn_match , Fixed CSCsv40340

Symptoms: A Cisco router may reload due to a bus error.
Conditions: This symptom is observed on a Cisco 3845 router that is running Cisco IOS Release 12.4(15)T7. The router is configured with NHRP.
Workaround: There is no workaround.

ASR crashes at imgr_aom_obj_descr_show , Fixed CSCtd00644

Symptom: ASR ungraceful restart with scaled config.
Conditions: When there is scaled config and sessions are flapping frequently. Sometimes ASR restarts ungracefully. This problem is also timing related, so does not happen with every time sessions flaps.
Workaround: No known workaround

P1 SA stuck in KEY_EXCH forever , Fixed CSCsy07555

Cisco IOS devices that are configured for Internet Key Exchange (IKE) protocol and certificate based authentication are vulnerable to a resource exhaustion attack. Successful exploitation of this vulnerability may result in the allocation of all available Phase 1 security associations (SA) and prevent the establishment of new IPsec sessions. Cisco has released free software updates that address this vulnerability. This advisory is posted at http://www.cisco.com/warp/public/707/cisco-sa-20090923-ipsec.shtml

Crash at k_cipsStaticCryptomapEntry_get within SNMP , Fixed CSCeh37349

Symptoms: The router crashes while walking the cipsStaticCryptomapTable
Condition: Only happens in a crypto image
Workaround: 1) Do not walk the cipsStaticCryptomapTable. 2) Exclude the cipsStaticCryptomapTable from the default view.

IOS VPN Hot Issues from Cisco TAC