Preview Tool

Cisco Bug: CSCta18741 - PIX/ASA: IOS ezvpn ipsec decompression fails with ASA as ezvpn server

Last Modified

Nov 09, 2016

Products (1)

  • Cisco ASA 5500-X Series Firewalls

Known Affected Releases

8.0(4) 8.0(4.31)

Description (partial)


When IP compression (lzs) is used with EzVPN with ASA as
the headend, and IOS router as ezvpn client, 
the packets compressed by ASA fail decompression
on IOS, and are dropped as the PCP inbound sa 
on IOS is different from the one negotiated by IOS ezvpn client. 

ASA uses the well known CPI (compression
parameter index) of 3 as the inbound and outbound SPI. 
Instead, the outbound SPI should be whats negotiated
during phase 2 negotiation with the ezvpn client. 


1)IOS as ezvpn client and ASA as EzVPN server
2) IP compression is enabled for IPSEC.
Bug details contain sensitive information and therefore require a account to be viewed.

Bug Details Include

  • Full Description (including symptoms, conditions and workarounds)
  • Status
  • Severity
  • Known Fixed Releases
  • Related Community Discussions
  • Number of Related Support Cases
Bug information is viewable for customers and partners who have a service contract. Registered users can view up to 200 bugs per month without a service contract.