Cisco Bug: CSCum22612 - ASR1k IKE SA Stuck in MM_KEY_EXCH with RSA-SIG blocking new SAs with CAC

Last Modified

Nov 27, 2020

Products (1)

Cisco ASR 1000 Series Aggregation Services Routers

Known Affected Releases

15.2(4)S

Description (partial)

Symptom:
Since the ASR fails to send MM6 [being a responder] in the absence of a valid certificate, IKE SAs start leaking and hence get stuck in MM_KEY_EXCH state. Multiple MM_KEY_EXCH exist for a single Peer on the ASR, however the Peer does not retain any SAs for ASR in this case.
Along with CAC for in-negotiation IKE SAs, these stuck SAs block any new SAs or IKE rekeys even after renewing the certificates on the ASR.

Conditions:
This symptom is observed under the following conditions:
- ASR acting as IKEv1 termination point [sVTI for example] and is a responder.
- IKE authentication mode is RSA-SIG [Certificates]. 
- On the ASR, the ID-Certificate is either Expired or Not-present for a given sVTI tunnel
- The ASR also has a IKE in-negotiation CAC of a certain value.
Example:
  crypto call admission limit ike in-negotiation-sa 30

View Bug Details in Bug Search Tool Login Required

Why Is Login Required?

Bug details contain sensitive information and therefore require a Cisco.com account to be viewed.

Bug Details Include

Full Description (including symptoms, conditions and workarounds)
Status
Severity
Known Fixed Releases
Related Community Discussions
Number of Related Support Cases

Bug information is viewable for customers and partners who have a service contract. Registered users can view up to 200 bugs per month without a service contract.

Learn More About Cisco Service Contracts