Cisco Bug: CSCtd92043 - Ph2 rekey use wrong proxy-id's on cat6k ezvpn ipsec-spa-2g
Jan 29, 2017
- Cisco Catalyst 6000 Series Switches
Known Affected Releases
Symptom: VPN clients might get unexpectedly disconnected from hub (Catalyst 6500 + IPSec-SPA-2G) upon rekey. The VPN client logs will display: 2645 00:00:00 01/01/09 Sev=Warning/3 IKE/0xE30000A9 Invalid Proxies for requested QM negotiation: LocalProxy : ID=192.168.0.3 Protocol=0 port=0, RemoteProxy : ID=0.0.0.0/0.0.0.0 Protocol=0 port=0 :(PLMgrID:123) The same client can reconnect later on without problem. Note that this occurs when neither the vpnclient nor the hub are behind NAT'ing devices. Conditions: This behavior occurs as a consequence of following scenario: 1) PC1 and PC2 receive respectively IP1 and IP2 from local pool configured on hub (Catalyst 6500) upon vpnclient connection. 2) PC1 get abruptly disconnected 3) PC1 reconnects and get IP3 4) Upon next rekey, the Catalyst 6500 will erroneously initiate the rekey and use IP1 as proxy identity for client PC1, leading to its disconnection (PC1 will drop the rekey message).
Bug details contain sensitive information and therefore require a Cisco.com account to be viewed.
Bug Details Include
- Full Description (including symptoms, conditions and workarounds)
- Known Fixed Releases
- Related Community Discussions
- Number of Related Support Cases