Cisco Bug: CSCue42170 - IKEv2: Support Multi Selector under the same child SA

Last Modified

Sep 06, 2021

Products (1)

Cisco Adaptive Security Appliance (ASA) Software

Known Affected Releases

8.6(1) 9.1(7.13) 9.4(3.6)

Description (partial)

Symptom:
During IKEv2 negotiation, ASA rejects the peer's proposal of traffic selector. "debug crypto ikev2 protocol 127" says:

<debug samples>
IKEv2-PROTO-5: (1063): Failed to verify the proposed policies
IKEv2-PROTO-1: (1063): There was no IPSEC policy found for received TS
IKEv2-PROTO-1: (1063):
IKEv2-PROTO-5: (1063): SM Trace-> SA: I_SPI=017A6C1E54AE0C74 R_SPI=E3CF446D6AAC32D5 (R) MsgID = 00000001 CurState: R_VERIFY_AUTH Event: EV_TS_UNACCEPT
IKEv2-PROTO-2: (1063): Sending TS unacceptable notify

Conditions:
This occurs when peer devices is sending multiple traffic selector in the same TS payload, because current ASA implemention only supports single traffic selector under the same child SA. Peer's proposals can be confirmed with "debug crypto ikev2 protocol 127" on ASA:

<debug samples>
 TSi  Next payload: TSr, reserved: 0x0, length: 40
    Num of TSs: 2, reserved 0x0, reserved 0x0
    TS type: TS_IPV4_ADDR_RANGE, proto id: 0, length: 16
    start port: 0, end port: 65535
    start addr: X.X.X.X, end addr: X.X.X.X      <== MULTIPLE SELECTORS
    TS type: TS_IPV4_ADDR_RANGE, proto id: 0, length: 16
    start port: 0, end port: 65535
    start addr: Y.Y.Y.Y, end addr: Y.Y.Y.Y      <== MULTIPLE SELECTORS
 TSr  Next payload: NONE, reserved: 0x0, length: 24
    Num of TSs: 1, reserved 0x0, reserved 0x0
    TS type: TS_IPV4_ADDR_RANGE, proto id: 0, length: 16
    start port: 0, end port: 65535
    start addr: 0.0.0.0, end addr: 255.255.255.255

Related Community Discussions

ASA series Firewall IKEV2 bug <key>CSCue42170</key>

HI we are using ASA version 9.8(1) .. which does not seems to be mentioned as affected release. [reference bug tracking at https://quickview.cloudapps.cisco.com/quickview/bug/<key>CSCue42170</key> ] But i want to ensure if anyone is already using this version 9.8 (1) along with IKEV2 and doing fine.. The reason being this is more recent release and might not have been evaluated for that bug. Appreciate if anyone who knows about this provides quick comment. Thank you regards Rakesh =====

Latest activity: Apr 14, 2020

View Bug Details in Bug Search Tool Login Required

Why Is Login Required?

Bug details contain sensitive information and therefore require a Cisco.com account to be viewed.

Bug Details Include

Full Description (including symptoms, conditions and workarounds)
Status
Severity
Known Fixed Releases
Related Community Discussions
Number of Related Support Cases

Bug information is viewable for customers and partners who have a service contract. Registered users can view up to 200 bugs per month without a service contract.

Learn More About Cisco Service Contracts

Preview Tool