Cisco Bug: CSCtd51042 - ASA: ip IPSec SA not brought up if similar icmp SA is up
Nov 09, 2016
- Cisco ASA 5500-X Series Firewalls
Known Affected Releases
Symptom: When there is a ipsec crypto ACL that defines interesting traffic with tcp/udp port or ip protocol (icmp,gre etc) and also have the same source/destination network defined without any tcp/udp port or ip protocol, if the ipsec SA using the tcp/udp port or ip protocol is brought up first, then IPSec SA for ip traffic (without ip protocol or tcp/udp source/dest port) using only source/dest ip is not built and traffic is dropped. Conditions: - Similar ip protocol and ip permit statements configured in crypto acl (ex. permit icmp and permit ip) - SA using IP protocol (or source/dest ports) brought up first (ex. ping) - Traffic that doesn't match the first SA but matches the permit ip statement will get dropped and IPSec SA isn't built.
Bug details contain sensitive information and therefore require a Cisco.com account to be viewed.
Bug Details Include
- Full Description (including symptoms, conditions and workarounds)
- Known Fixed Releases
- Related Community Discussions
- Number of Related Support Cases