Hello everyone,
Today I will introduce to you the SIP service interruption caused by AR1200 IPsec。Issue Description
Customer configured two 100/Mbit IPsec Tunnels between AR1220E and Cisco ASR1002/ASR1004, But after configured IPsec, Customer experienced packet loss, degraded network performance and SIP session Interrupted.
Handle Process
According to the configuration information on the device, only the AR and the peer ASR establish an IPsec tunnel. There is no NAT configuration. The SIP packets are encrypted and decrypted as IPsec packets. I don't see any IPsec flapping in the debug log. It can hear the ringing when the phone is talking. This indicates that there is SIP packet exchange. The IPsec tunnel is good. The existing information does not see any doubts.
Please follow below suggest getting capture packets.
1. For configured IPsec and without configured IPsec scenario, Please capture SIP packets on the AR connected to S57 to confirm the difference in SIP packet exchange.
2. IPsec use the ah algorithm or does not use IPsec instead of using the GRE tunnel. In this way, you can see the plain text packet. If the problem still exist, configure the IPsec or GRE interface on the AR and the S57 side interface to capture packets.
Capture one of the packets in the package:
Root Cause
According to the difference between the packet capture information and the test GRE over IPsec, the biggest possibility of the current analysis is that the fragmented packet is not allowed. After the IPsec encryption, the packet becomes larger, and fragmentation is not allowed, so it is discarded by the intermediate network.
Solution
There are two commands to remove the fragmentation tag. It is recommended to configure the corresponding commands on both devices. You can configure it and test it:
1. Configure the clear ip df command on the interface to remove the not allow fragmentation tag when sending packets. Cisco did not find the corresponding command
2. Configure the IPsec df-bit clear command in the system view. IPsec does not copy the fragment tag from the IP header. After encryption, the packet is allowed to be fragmented. Cisco corresponds to the command
Router(config)#crypto IPsec
df-bit clear
There are many packets in the packet that has tags do not allow fragmentation. Only when IPsec is encrypted, IPsec will copy the fragment tag in the IP header. After encryption, fragmentation is not allowed. In the case of GRE over IPsec, the first GRE encapsulation does not determine the fragmentation bit in the Ip header, so fragmentation processing can be performed.
Suggest
If we can confirm the configuration is normal, suggest make debugging and capture packets.
That is all I want to share with you! Thank you!