Guest

Preview Tool

Cisco Bug: CSCuo51043 - IOS Dynamic crypto map allows L2L peers not matching ISAKMP profile

Last Modified

Apr 19, 2019

Products (107)

  • Cisco IOS
  • Cisco 812 CiFi Integrated Services Router
  • Cisco ASR 901-6CZ-FS-D Router
  • Cisco 892W Integrated Services Router
  • Cisco 861W Integrated Services Router
  • Cisco 819 Hardened Integrated Services Router
  • Cisco 886VA-CUBE Integrated Services Router
  • Cisco C892FSP Integrated Services Router
  • Cisco 1905 Serial Integrated Services Router
  • Cisco 886VAG 3G Integrated Services Router
View all products in Bug Search Tool Login Required

Known Affected Releases

15.2(4)M 15.2(4)S 15.3(3)M 15.4(2)S 15.4(2.1)T

Description (partial)

Symptom:
The dynamic L2L peer will successfully bring up, both phase-1 and phase-2 although the isakmp profile does not cater to this new peer.

Conditions:
IOS L2L end-point catering to dynamic peers, with a dynamic crypto map, under which we have:
a) an isakmp profile that does not match the isakmp identity of this new peer
b) no crypto ACL [i.e. no 'match address' statement]

Note: a crypto ACL can be configured under the dynamic map, that is either an exact or a super-set mirror image of the peer's crypto ACL, although this is not mandatory.
Bug details contain sensitive information and therefore require a Cisco.com account to be viewed.

Bug Details Include

  • Full Description (including symptoms, conditions and workarounds)
  • Status
  • Severity
  • Known Fixed Releases
  • Related Community Discussions
  • Number of Related Support Cases
Bug information is viewable for customers and partners who have a service contract. Registered users can view up to 200 bugs per month without a service contract.