Preview Tool

Cisco Bug: CSCuo45321 - ASA allows IKEv1 clients to bypass address assignment, causing conflict

Last Modified

Apr 16, 2020

Products (1)

  • Cisco ASA 5500-X Series Firewalls

Known Affected Releases


Description (partial)

ASA allows some non-cisco ikev1 clients to use an assigned IP without going through address assignment.  This means that the used IP is not marked as in-use in the address pool, which means that it may be assigned to another client that does go through address assignment.  In this case, the conflict is resolved by kicking out the oldest IKEv1 session using that IP.

Additionally, the ASA doesn't check that the client actually opens a tunnel matching it's assigned address.  This can lead to the same conflict mentioned above.

Mixture of cisco and non-cisco ikev1 clients in use

Non-Cisco IKEv1 client uses assigned address without going through address assignment, or ignores address assignment result.

Related Community Discussions

Non Cisco IKEv1 Remote Access VPN fail after upgrade
Hello everyone, We upgraded our ASA from 7.2(5) to 9.1(7) and non Cisco Cisco IKEv1 Remote Access VPN now fail. Phase 1 is OK, AAA user auth is successful but we have the following errors in ASDM : Group = XXX, Username = XXXX, IP = 80.12.X.Y, QM FSM error (P2 struct &0x7659d900, mess id 0x60ecf534)! Group = XXX, Username = XXXX, IP = 80.12.X.Y, Aborting Connection: IKEv1 RA client which did not request an assigned IP is attempting to establish a phase 2 SA for 10.59.Z.Z. IP of client at the other ...
Latest activity: Oct 27, 2016
Bug details contain sensitive information and therefore require a account to be viewed.

Bug Details Include

  • Full Description (including symptoms, conditions and workarounds)
  • Status
  • Severity
  • Known Fixed Releases
  • Related Community Discussions
  • Number of Related Support Cases
Bug information is viewable for customers and partners who have a service contract. Registered users can view up to 200 bugs per month without a service contract.