Symptom
IPSEC-3-HMAC_ERROR logs are generated on SDWAN IOS-XE
show platform hardware qfp active feature ipsec datapath drops will show "IN_OCT_MAC_EXCEPTION" increasing.
Conditions
BFD session going through NAT and public IP or port changes.
Workaround
Clear Control connections on the edge behind a TLOC ex. Not the device that is dropping packets due to HMAC.
Further Problem Description
To confirm if this is your defect run show platform hardware qfp active feature bfd datapath sdwan summary and find the LD for your BFD session. Then run show platform hardware qfp active feature bfd datapath sdwan ld [number from previous output]
router#show plat hard qfp active feature bfd datapath sdwan ld 10
LD : 10
My Private IP : 10.x.x.1
Remote Private IP : 11.x.x.1
Tx Stats : 100
Rx Stats : 100
Encap Type : IPSEC
State : Up
IPSec Out SA ID : 100
Tunnel Rec ID : 100
IfName : GigabitEthernet0/0/0
Uidb : 100
Config Tx Timer : 1000000
Conig Detect Timer : 7000000
Actual Tx Timer : 1000000
Actual Detect Timer : 7000000
My Pub IP : 20.x.x.1
My Pub Port : 10000
My Symmetric NAT IP : 20.x.x.3 <----Symmetric NAT IP does not match the IP you would get when you go through NAT
My Symmetric NAT Port : 10000
Remote public IP : 11.x.x.1
Remote public Port : 12346
MTU(config), Actual : 1438, 1438
Farend PMTU : 505
My Capabilities : 0x60
Remote Capabilities : 0x160
SDWAN BFD flags : |SYMNAT_UP|||
