Guest

Preview Tool

Cisco Bug: CSCul55863 - ASA with ICMP insp. drops replies with 'seq num not matched' code

Last Modified

Apr 16, 2020

Products (1)

  • Cisco ASA 5500-X Series Firewalls

Known Affected Releases

9.1(2) 9.1(3)

Description (partial)

Symptom:
ASA is dropping approx. 50% of ICMP echo replies coming from VPN tunnel.

Conditions:
ASA running version 9.1.2+ with ICMP echo inspection enabled and terminating a VPN tunnel.

Related Community Discussions

Troubles using VRF-aware IPsec w/ crypto maps
I'm trying to get a lab setup to work with a C2951 ( 15.2(4)M4) peering with an ASA 5510 ( 9.1(2)). The config is based on crypto maps, since I want the C2951 to be the initiating side, and as far as I understand, VTIs wouldn't be working together with the ASA due to the default 'any' crypto statements that are being applied on SVTIs. So I've set up this IKEv1-, crypto map-based lab, and the tunnel strictly won't come up; it seems that crypto doesn't find any interesting traffic at all (no debug ...
Latest activity: Nov 25, 2013
Bug details contain sensitive information and therefore require a Cisco.com account to be viewed.

Bug Details Include

  • Full Description (including symptoms, conditions and workarounds)
  • Status
  • Severity
  • Known Fixed Releases
  • Related Community Discussions
  • Number of Related Support Cases
Bug information is viewable for customers and partners who have a service contract. Registered users can view up to 200 bugs per month without a service contract.