Cisco Bug: CSCum54163 - IKEv2 leaks embryonic SAs during child SA negotiation with PFS mismatch

Last Modified

Apr 16, 2020

Products (1)

Cisco ASA 5500-X Series Firewalls

Known Affected Releases

8.4

Description (partial)

Symptom:
IKEv2 leaks embryonic SAs which are visible via 'show crypto ipsec sa'.

Conditions:
In site-to-site VPN scenarios where a peer is allowed to connect via a static crypto map or dynamic map configuration but the entry is mis-configured to not have PFS but the initiator negotiates the tunnel with PFS.  This is specific to a child SA negotiation which is possible on a rekey of an existing IPsec SA or the negotiation of additional IPsec SA.

View Bug Details in Bug Search Tool Login Required

Why Is Login Required?

Bug details contain sensitive information and therefore require a Cisco.com account to be viewed.

Bug Details Include

Full Description (including symptoms, conditions and workarounds)
Status
Severity
Known Fixed Releases
Related Community Discussions
Number of Related Support Cases

Bug information is viewable for customers and partners who have a service contract. Registered users can view up to 200 bugs per month without a service contract.

Learn More About Cisco Service Contracts