Guest

Preview Tool

Cisco Bug: CSCum94408 - IOS PKI Public Key caching fails during IKE MM6 Signature verification

Last Modified

Nov 27, 2020

Products (2)

  • Cisco 2600 Series Multiservice Platforms
  • Cisco 2600 Series Multiservice Platforms

Known Affected Releases

15.2(4)M 15.2(4)S

Description (partial)

Symptom:
Intermittently, VPN tunnels may get stuck in the MM_KEY_EXCH state when using certificate authentication and the following error messages are seen in the debugs: 
[Debug crypto isakmp and Debug crypto pki m/t/v/c]

ISAKMP (35845): adding peer's pubkey to cache
ISAKMP:(35845): processing SIG payload. message ID = 0
%CRYPTO-3-IKMP_QUERY_KEY: Querying key pair failed.

Conditions:
This symptom occurs in Cisco IOS configured with the IKEv1, Authentication mode RSA-SIG [Certificates]. PKI Infrastructure is as follows:
Root -> Sub -> ID
- Root and Sub Trustpoint have "revocation-check crl none".
- Sub has "chain-validation continue Root".
Bug details contain sensitive information and therefore require a Cisco.com account to be viewed.

Bug Details Include

  • Full Description (including symptoms, conditions and workarounds)
  • Status
  • Severity
  • Known Fixed Releases
  • Related Community Discussions
  • Number of Related Support Cases
Bug information is viewable for customers and partners who have a service contract. Registered users can view up to 200 bugs per month without a service contract.