Cisco Bug: CSCsz04730 - PIX/ASA: When route changes connections over IPSEC tunnel not torn down
Jun 29, 2018
- Cisco ASA 5500-X Series Firewalls
Known Affected Releases
Symptom: When multiple outside interface exists, If routing changes occur for destinations reachable over IPSEC VPN, then existing flows will continue to use existing IPSEC sa as long as its active. This may cause problems for UDP and other traffic that use same layer 4 ports (or dont have layer 4 ports) as existing flows will continue to use the previous interface/IPSEC sa and not failover to the current outside interface / IPSEC sa. This is more relevant of a failover from a secondary to a primary path, where the secondary path (interface) may have slower bandwidth or incur additional cost based on traffic volumes. This is same as the bug CSCso42904, which did not fix the case where route changes for IPSEC vpn destinations. Conditions: When routing changes occur for destinations over IPSEC vpn and the exsisting traffic flows (connections) exists where the layer 4 ports dont change (or dont exists like GRE).
Bug details contain sensitive information and therefore require a Cisco.com account to be viewed.
Bug Details Include
- Full Description (including symptoms, conditions and workarounds)
- Known Fixed Releases
- Related Community Discussions
- Number of Related Support Cases