Preview Tool

Cisco Bug: CSCsz04730 - PIX/ASA: When route changes connections over IPSEC tunnel not torn down

Last Modified

Nov 28, 2018

Products (1)

  • Cisco ASA 5500-X Series Firewalls

Known Affected Releases


Description (partial)


When multiple outside interface exists, If routing changes occur
for destinations reachable over IPSEC VPN, then existing flows will
continue to use existing IPSEC sa as long as its active. 

This may cause problems for UDP and other traffic
that use same layer 4 ports (or dont have layer 4 ports)
as existing flows will continue to use the previous
interface/IPSEC sa  and not failover to the current
outside interface / IPSEC sa. 

This is more relevant of a failover from a secondary
to a primary path, where the secondary path (interface)
may have slower bandwidth or incur additional cost based
on traffic volumes. 

This is same as the bug CSCso42904, which did not fix
the case where route changes for IPSEC vpn destinations. 


When routing changes occur for destinations over IPSEC vpn
and the exsisting traffic flows (connections) exists  where the layer 4 ports dont
change (or dont exists like GRE).

Related Community Discussions

is this ever going to be fixed <key>CSCsz04730</key> ???
Hi, is there any time frame for when this bug <key>CSCsz04730</key> will be fixed ? Got embarrassed in front of a customer . The bug was first found in 8.0(4) and haven't being resolved so far. I hit this bug on 8.2(2). Manish
Latest activity: Apr 19, 2011
Bug details contain sensitive information and therefore require a account to be viewed.

Bug Details Include

  • Full Description (including symptoms, conditions and workarounds)
  • Status
  • Severity
  • Known Fixed Releases
  • Related Community Discussions
  • Number of Related Support Cases
Bug information is viewable for customers and partners who have a service contract. Registered users can view up to 200 bugs per month without a service contract.