Cisco Bug: CSCue42170 - IKEv2: Support Multi Selector under the same child SA
Last Modified
Jan 17, 2020
Products (1)
- Cisco ASA 5500-X Series Firewalls
Known Affected Releases
8.6(1) 9.1(7.13) 9.4(3.6)
Description (partial)
Symptom:
During IKEv2 negotiation, ASA rejects the peer's proposal of traffic selector. "debug crypto ikev2 protocol 127" says:
<debug samples>
IKEv2-PROTO-5: (1063): Failed to verify the proposed policies
IKEv2-PROTO-1: (1063): There was no IPSEC policy found for received TS
IKEv2-PROTO-1: (1063):
IKEv2-PROTO-5: (1063): SM Trace-> SA: I_SPI=017A6C1E54AE0C74 R_SPI=E3CF446D6AAC32D5 (R) MsgID = 00000001 CurState: R_VERIFY_AUTH Event: EV_TS_UNACCEPT
IKEv2-PROTO-2: (1063): Sending TS unacceptable notify
Conditions:
This occurs when peer devices is sending multiple traffic selector in the same TS payload, because current ASA implemention only supports single traffic selector under the same child SA. Peer's proposals can be confirmed with "debug crypto ikev2 protocol 127" on ASA:
<debug samples>
TSi Next payload: TSr, reserved: 0x0, length: 40
Num of TSs: 2, reserved 0x0, reserved 0x0
TS type: TS_IPV4_ADDR_RANGE, proto id: 0, length: 16
start port: 0, end port: 65535
start addr: X.X.X.X, end addr: X.X.X.X <== MULTIPLE SELECTORS
TS type: TS_IPV4_ADDR_RANGE, proto id: 0, length: 16
start port: 0, end port: 65535
start addr: Y.Y.Y.Y, end addr: Y.Y.Y.Y <== MULTIPLE SELECTORS
TSr Next payload: NONE, reserved: 0x0, length: 24
Num of TSs: 1, reserved 0x0, reserved 0x0
TS type: TS_IPV4_ADDR_RANGE, proto id: 0, length: 16
start port: 0, end port: 65535
start addr: 0.0.0.0, end addr: 255.255.255.255 Related Community Discussions
Bug details contain sensitive information and therefore require a Cisco.com account to be viewed.
Bug Details Include
- Full Description (including symptoms, conditions and workarounds)
- Status
- Severity
- Known Fixed Releases
- Related Community Discussions
- Number of Related Support Cases