Guest

Preview Tool

Cisco Bug: CSCuj66938 - ENH: Ikev2 should be able to parse large CERTREQ message

Last Modified

Oct 14, 2019

Products (9)

  • Cisco IOS
  • Cisco 7206 Router
  • Cisco 7301 Router
  • Cisco 7204 Router
  • Cisco 7206VXR Router
  • Cisco 7202 Router
  • Cisco 7200 Series NPE-G2 Network Processing Engine
  • Cisco 7204VXR Router
  • Cisco 7201 Router

Known Affected Releases

15.2(4)M

Description (partial)

Symptom:
IKEv2 Negotiation fails since IOS fails to process large number of CERTREQ payloads with the message:
IKEv2:number of cert req exceeds the reasonable limit (100)
IKEv2:(SA ID = 1):Failed to enqueue an item to a list
IKEv2:(SA ID = 1):Failed to parse the packet

Conditions:
ISR/ASR FlexVPN Remote Access Server, and Windows 7 Builtin IKEv2 client where the Windows 7 Machine Certificate Store has more than 100 Trust Root CA certificates

Related Community Discussions

Windows7 to IOS via IKEv2 certificate Cert_req payload
Hi, this article explains it very well. https://supportforums.cisco.com/document/98366/flexvpn-ikev2-windows-7-builtin-client-ios-headend-part-i-certificate-authentication But has somebody an explanation for this: "On Windows 7 Client Certificate Store, make sure that Machine-Trusted Root Certificate Authorities Store has as less number of certificates as possible. If it has more than say close to 50, IOS might fail to read the entire Cert_Req payload (which contains the DN of all the known CA's) ...
Latest activity: Jul 03, 2014
Bug details contain sensitive information and therefore require a Cisco.com account to be viewed.

Bug Details Include

  • Full Description (including symptoms, conditions and workarounds)
  • Status
  • Severity
  • Known Fixed Releases
  • Related Community Discussions
  • Number of Related Support Cases
Bug information is viewable for customers and partners who have a service contract. Registered users can view up to 200 bugs per month without a service contract.