Preview Tool

Cisco Bug: CSCta01894 - AC client traffic destined to unused local pool addr should be dropped

Last Modified

Dec 27, 2016

Products (1)

  • Cisco ASA 5500-X Series Firewalls

Known Affected Releases


Description (partial)


Packets destined for an IP address that is part of the local pool used for Anyconnect client connections but which is currently not in use by any client, is forwarded out an interface (i.e. the interface defined by the matching route in the routing table) instead of dropped.

If the next-hop router sends the packet back to the ASA, and the ASA has  <CmdBold>same-security permit intra-interface<noCmdBold> configured, and the packet is permitted by the interface access-list, then the packet gets into an infinite loop. Such a loop can cause high interface load and high CPU load.


Bug details contain sensitive information and therefore require a account to be viewed.

Bug Details Include

  • Full Description (including symptoms, conditions and workarounds)
  • Status
  • Severity
  • Known Fixed Releases
  • Related Community Discussions
  • Number of Related Support Cases
Bug information is viewable for customers and partners who have a service contract. Registered users can view up to 200 bugs per month without a service contract.