Guest

Preview Tool

Cisco Bug: CSCtd92043 - Ph2 rekey use wrong proxy-id's on cat6k ezvpn ipsec-spa-2g

Last Modified

Jan 29, 2017

Products (1)

  • Cisco Catalyst 6000 Series Switches

Known Affected Releases

12.2(33)SXI 12.2SXI

Description (partial)

Symptom:

VPN clients might get unexpectedly disconnected from hub (Catalyst 6500 + IPSec-SPA-2G) upon
rekey.

The VPN client logs will display:

2645   00:00:00  01/01/09  Sev=Warning/3    IKE/0xE30000A9
Invalid Proxies for requested QM negotiation: LocalProxy : ID=192.168.0.3 Protocol=0 port=0, RemoteProxy : ID=0.0.0.0/0.0.0.0 Protocol=0 port=0 :(PLMgrID:123)

The same client can reconnect later on without problem.

Note that this occurs when neither the vpnclient nor the hub are behind NAT'ing devices.

Conditions:

This behavior occurs as a consequence of following scenario:

1) PC1 and PC2 receive respectively IP1 and IP2 from local pool configured on hub (Catalyst 6500) upon vpnclient connection.
2) PC1 get abruptly disconnected 
3) PC1 reconnects and get IP3 
4) Upon next rekey, the Catalyst 6500 will erroneously initiate the rekey and use IP1 as proxy identity for client PC1, leading to its disconnection (PC1 will drop the rekey message).
Bug details contain sensitive information and therefore require a Cisco.com account to be viewed.

Bug Details Include

  • Full Description (including symptoms, conditions and workarounds)
  • Status
  • Severity
  • Known Fixed Releases
  • Related Community Discussions
  • Number of Related Support Cases
Bug information is viewable for customers and partners who have a service contract. Registered users can view up to 200 bugs per month without a service contract.