Preview Tool

Cisco Bug: CSCta57915 - IKE phase 2 for secondary peer fails with connection-type originate-only

Last Modified

Nov 09, 2016

Products (1)

  • Cisco ASA 5500-X Series Firewalls

Known Affected Releases

7.2 8.0(4.32) 8.0(4.37)

Description (partial)

IKE phase 2 negotiation fails when initiator ASA attempt to connect with secondary peer.
This is because that initiator ASA transmits IKE peer address as phase 2 proxy IDs instead of
configured IPSec proxy addresses.

This happens under below conditions.

-Initiator ASA is configured its connection-type "originate-only" and responder
 is configured its connection-type as "answer-only".

-Multiple peers are configured on initiator ASA's crypto map on purpose of redundancy.

This happens when the initiator attempts to connect secondary peer specified by crypto map
on the occasion of primary peer death.
Bug details contain sensitive information and therefore require a account to be viewed.

Bug Details Include

  • Full Description (including symptoms, conditions and workarounds)
  • Status
  • Severity
  • Known Fixed Releases
  • Related Community Discussions
  • Number of Related Support Cases
Bug information is viewable for customers and partners who have a service contract. Registered users can view up to 200 bugs per month without a service contract.