Guest

Preview Tool

Cisco Bug: CSCtd51042 - ASA: ip IPSec SA not brought up if similar icmp SA is up

Last Modified

Nov 09, 2016

Products (1)

  • Cisco ASA 5500-X Series Firewalls

Known Affected Releases

8.0(4)

Description (partial)

Symptom:
 
  When there is a ipsec crypto ACL that defines interesting traffic
  with tcp/udp port or ip protocol (icmp,gre etc) and also have the same   
  source/destination network defined without any tcp/udp port or 
  ip protocol, if the ipsec SA using the  tcp/udp port or ip protocol 
  is brought up first, then IPSec SA for ip traffic (without 
  ip protocol or tcp/udp source/dest port) using only source/dest ip 
  is not built and traffic is dropped.
 
 Conditions:
 
- Similar ip protocol and ip permit statements configured in crypto acl  (ex. 
  permit icmp and permit ip)
- SA using IP protocol (or source/dest ports) brought up first (ex. ping)
- Traffic that doesn't match the first SA but matches the permit ip  
  statement will get dropped and IPSec SA isn't built.
Bug details contain sensitive information and therefore require a Cisco.com account to be viewed.

Bug Details Include

  • Full Description (including symptoms, conditions and workarounds)
  • Status
  • Severity
  • Known Fixed Releases
  • Related Community Discussions
  • Number of Related Support Cases
Bug information is viewable for customers and partners who have a service contract. Registered users can view up to 200 bugs per month without a service contract.