Cisco Bug: CSCuo45321 - ASA allows IKEv1 clients to bypass address assignment, causing conflict
Last Modified
Apr 16, 2020
Products (1)
- Cisco ASA 5500-X Series Firewalls
Known Affected Releases
8.2(5.46)
Description (partial)
Symptom: ASA allows some non-cisco ikev1 clients to use an assigned IP without going through address assignment. This means that the used IP is not marked as in-use in the address pool, which means that it may be assigned to another client that does go through address assignment. In this case, the conflict is resolved by kicking out the oldest IKEv1 session using that IP. Additionally, the ASA doesn't check that the client actually opens a tunnel matching it's assigned address. This can lead to the same conflict mentioned above. Conditions: Mixture of cisco and non-cisco ikev1 clients in use Non-Cisco IKEv1 client uses assigned address without going through address assignment, or ignores address assignment result.
Related Community Discussions
Bug details contain sensitive information and therefore require a Cisco.com account to be viewed.
Bug Details Include
- Full Description (including symptoms, conditions and workarounds)
- Status
- Severity
- Known Fixed Releases
- Related Community Discussions
- Number of Related Support Cases