Cisco Bug: CSCta18741 - PIX/ASA: IOS ezvpn ipsec decompression fails with ASA as ezvpn server
Nov 09, 2016
- Cisco ASA 5500-X Series Firewalls
Known Affected Releases
Symptom: When IP compression (lzs) is used with EzVPN with ASA as the headend, and IOS router as ezvpn client, the packets compressed by ASA fail decompression on IOS, and are dropped as the PCP inbound sa on IOS is different from the one negotiated by IOS ezvpn client. ASA uses the well known CPI (compression parameter index) of 3 as the inbound and outbound SPI. Instead, the outbound SPI should be whats negotiated during phase 2 negotiation with the ezvpn client. Conditions: 1)IOS as ezvpn client and ASA as EzVPN server 2) IP compression is enabled for IPSEC.
Bug details contain sensitive information and therefore require a Cisco.com account to be viewed.
Bug Details Include
- Full Description (including symptoms, conditions and workarounds)
- Known Fixed Releases
- Related Community Discussions
- Number of Related Support Cases