Guest

Preview Tool

Cisco Bug: CSCue42170 - IKEv2: Support Multi Selector under the same child SA

Last Modified

Jan 17, 2020

Products (1)

  • Cisco ASA 5500-X Series Firewalls

Known Affected Releases

8.6(1) 9.1(7.13) 9.4(3.6)

Description (partial)

Symptom:
During IKEv2 negotiation, ASA rejects the peer's proposal of traffic selector. "debug crypto ikev2 protocol 127" says:

<debug samples>
IKEv2-PROTO-5: (1063): Failed to verify the proposed policies
IKEv2-PROTO-1: (1063): There was no IPSEC policy found for received TS
IKEv2-PROTO-1: (1063):
IKEv2-PROTO-5: (1063): SM Trace-> SA: I_SPI=017A6C1E54AE0C74 R_SPI=E3CF446D6AAC32D5 (R) MsgID = 00000001 CurState: R_VERIFY_AUTH Event: EV_TS_UNACCEPT
IKEv2-PROTO-2: (1063): Sending TS unacceptable notify

Conditions:
This occurs when peer devices is sending multiple traffic selector in the same TS payload, because current ASA implemention only supports single traffic selector under the same child SA. Peer's proposals can be confirmed with "debug crypto ikev2 protocol 127" on ASA:

<debug samples>
 TSi  Next payload: TSr, reserved: 0x0, length: 40
    Num of TSs: 2, reserved 0x0, reserved 0x0
    TS type: TS_IPV4_ADDR_RANGE, proto id: 0, length: 16
    start port: 0, end port: 65535
    start addr: X.X.X.X, end addr: X.X.X.X      <== MULTIPLE SELECTORS
    TS type: TS_IPV4_ADDR_RANGE, proto id: 0, length: 16
    start port: 0, end port: 65535
    start addr: Y.Y.Y.Y, end addr: Y.Y.Y.Y      <== MULTIPLE SELECTORS
 TSr  Next payload: NONE, reserved: 0x0, length: 24
    Num of TSs: 1, reserved 0x0, reserved 0x0
    TS type: TS_IPV4_ADDR_RANGE, proto id: 0, length: 16
    start port: 0, end port: 65535
    start addr: 0.0.0.0, end addr: 255.255.255.255

Related Community Discussions

<key>CSCue42170</key> - IKEv2 Support Multi Selector under the same child SA
HI,   We are seeing a similar issue with Strongswan and CISCO ASA  9.7(1)4. Can someone please confirm if this is bug effects 9.7(1)4?   Thanks Prashanth
Latest activity: Jun 21, 2018
Bug details contain sensitive information and therefore require a Cisco.com account to be viewed.

Bug Details Include

  • Full Description (including symptoms, conditions and workarounds)
  • Status
  • Severity
  • Known Fixed Releases
  • Related Community Discussions
  • Number of Related Support Cases
Bug information is viewable for customers and partners who have a service contract. Registered users can view up to 200 bugs per month without a service contract.