Cisco Bug: CSCta57915 - IKE phase 2 for secondary peer fails with connection-type originate-only
Nov 09, 2016
- Cisco ASA 5500-X Series Firewalls
Known Affected Releases
7.2 8.0(4.32) 8.0(4.37)
Symptom: IKE phase 2 negotiation fails when initiator ASA attempt to connect with secondary peer. This is because that initiator ASA transmits IKE peer address as phase 2 proxy IDs instead of configured IPSec proxy addresses. Conditions: This happens under below conditions. -Initiator ASA is configured its connection-type "originate-only" and responder is configured its connection-type as "answer-only". -Multiple peers are configured on initiator ASA's crypto map on purpose of redundancy. This happens when the initiator attempts to connect secondary peer specified by crypto map on the occasion of primary peer death.
Bug details contain sensitive information and therefore require a Cisco.com account to be viewed.
Bug Details Include
- Full Description (including symptoms, conditions and workarounds)
- Known Fixed Releases
- Related Community Discussions
- Number of Related Support Cases