Guest

Preview Tool

Cisco Bug: CSCsz04730 - PIX/ASA: When route changes connections over IPSEC tunnel not torn down

Last Modified

Jun 29, 2018

Products (1)

  • Cisco ASA 5500-X Series Firewalls

Known Affected Releases

8.0(4.28)

Description (partial)

Symptom:

When multiple outside interface exists, If routing changes occur
for destinations reachable over IPSEC VPN, then existing flows will
continue to use existing IPSEC sa as long as its active. 

This may cause problems for UDP and other traffic
that use same layer 4 ports (or dont have layer 4 ports)
as existing flows will continue to use the previous
interface/IPSEC sa  and not failover to the current
outside interface / IPSEC sa. 

This is more relevant of a failover from a secondary
to a primary path, where the secondary path (interface)
may have slower bandwidth or incur additional cost based
on traffic volumes. 

This is same as the bug CSCso42904, which did not fix
the case where route changes for IPSEC vpn destinations. 

Conditions:

When routing changes occur for destinations over IPSEC vpn
and the exsisting traffic flows (connections) exists  where the layer 4 ports dont
change (or dont exists like GRE).
Bug details contain sensitive information and therefore require a Cisco.com account to be viewed.

Bug Details Include

  • Full Description (including symptoms, conditions and workarounds)
  • Status
  • Severity
  • Known Fixed Releases
  • Related Community Discussions
  • Number of Related Support Cases
Bug information is viewable for customers and partners who have a service contract. Registered users can view up to 200 bugs per month without a service contract.