Cisco Bug: CSCun45787 - Duplicate CHILD SAs in 1 IKEv2 SA, traffic dropped due to vpn-overlap-conflict
Aug 24, 2020
- Cisco ASA 5500-X Series Firewalls
Known Affected Releases
Symptom: When the below condition matches, ASA may end-up creating multiple SPI-sets for a single proxy-id set. i.e. Multiple IPSec SAs or Child-SAs are created for the same local and remote Subnets/Idents. Note that this only occurs for the second or the subsequent Child-SA negotiations, barring the first Child-SA created during IKE-AUTH. When this occurs, ASA drops the traffic over this SA with "vpn-overlap-conflict" asp drop reason [show asp drop]. Conditions: ASA acting as IKEv2 L2L End-point, where we have more than one IPSec SAs negotiated. IKEv2 SA goes down, and re-negotiates due to an external comm-failure.
Bug details contain sensitive information and therefore require a Cisco.com account to be viewed.
Bug Details Include
- Full Description (including symptoms, conditions and workarounds)
- Known Fixed Releases
- Related Community Discussions
- Number of Related Support Cases