Cisco Bug: CSCue42170 - IKEv2: Support Multi Selector under the same child SA
Last Modified
Apr 13, 2021
Products (1)
- Cisco Adaptive Security Appliance (ASA) Software
Known Affected Releases
8.6(1) 9.1(7.13) 9.4(3.6)
Description (partial)
Symptom: During IKEv2 negotiation, ASA rejects the peer's proposal of traffic selector. "debug crypto ikev2 protocol 127" says: <debug samples> IKEv2-PROTO-5: (1063): Failed to verify the proposed policies IKEv2-PROTO-1: (1063): There was no IPSEC policy found for received TS IKEv2-PROTO-1: (1063): IKEv2-PROTO-5: (1063): SM Trace-> SA: I_SPI=017A6C1E54AE0C74 R_SPI=E3CF446D6AAC32D5 (R) MsgID = 00000001 CurState: R_VERIFY_AUTH Event: EV_TS_UNACCEPT IKEv2-PROTO-2: (1063): Sending TS unacceptable notify Conditions: This occurs when peer devices is sending multiple traffic selector in the same TS payload, because current ASA implemention only supports single traffic selector under the same child SA. Peer's proposals can be confirmed with "debug crypto ikev2 protocol 127" on ASA: <debug samples> TSi Next payload: TSr, reserved: 0x0, length: 40 Num of TSs: 2, reserved 0x0, reserved 0x0 TS type: TS_IPV4_ADDR_RANGE, proto id: 0, length: 16 start port: 0, end port: 65535 start addr: X.X.X.X, end addr: X.X.X.X <== MULTIPLE SELECTORS TS type: TS_IPV4_ADDR_RANGE, proto id: 0, length: 16 start port: 0, end port: 65535 start addr: Y.Y.Y.Y, end addr: Y.Y.Y.Y <== MULTIPLE SELECTORS TSr Next payload: NONE, reserved: 0x0, length: 24 Num of TSs: 1, reserved 0x0, reserved 0x0 TS type: TS_IPV4_ADDR_RANGE, proto id: 0, length: 16 start port: 0, end port: 65535 start addr: 0.0.0.0, end addr: 255.255.255.255
Related Community Discussions
Bug details contain sensitive information and therefore require a Cisco.com account to be viewed.
Bug Details Include
- Full Description (including symptoms, conditions and workarounds)
- Status
- Severity
- Known Fixed Releases
- Related Community Discussions
- Number of Related Support Cases