Guest

Preview Tool

Cisco Bug: CSCun45787 - Duplicate CHILD SAs in 1 IKEv2 SA, traffic dropped due to vpn-overlap-conflict

Last Modified

Aug 24, 2020

Products (1)

  • Cisco ASA 5500-X Series Firewalls

Known Affected Releases

100.12(30.8) 9.1(4)

Description (partial)

Symptom:
When the below condition matches, ASA may end-up creating multiple SPI-sets for a single proxy-id set. i.e. Multiple IPSec SAs or Child-SAs are created for the same local and remote Subnets/Idents.

Note that this only occurs for the second or the subsequent Child-SA negotiations, barring the first Child-SA created during IKE-AUTH. 

When this occurs, ASA drops the traffic over this SA with "vpn-overlap-conflict" asp drop reason [show asp drop].

Conditions:
ASA acting as IKEv2 L2L End-point, where we have more than one IPSec SAs negotiated. 
IKEv2 SA goes down, and re-negotiates due to an external comm-failure.
Bug details contain sensitive information and therefore require a Cisco.com account to be viewed.

Bug Details Include

  • Full Description (including symptoms, conditions and workarounds)
  • Status
  • Severity
  • Known Fixed Releases
  • Related Community Discussions
  • Number of Related Support Cases
Bug information is viewable for customers and partners who have a service contract. Registered users can view up to 200 bugs per month without a service contract.