Cisco Bug: CSCuo51043 - IOS Dynamic crypto map allows L2L peers not matching ISAKMP profile

Last Modified

Apr 19, 2019

Products (107)

Cisco IOS
Cisco 812 CiFi Integrated Services Router
Cisco ASR 901-6CZ-FS-D Router
Cisco 892W Integrated Services Router
Cisco 861W Integrated Services Router
Cisco 819 Hardened Integrated Services Router
Cisco 886VA-CUBE Integrated Services Router
Cisco C892FSP Integrated Services Router
Cisco 1905 Serial Integrated Services Router
Cisco 886VAG 3G Integrated Services Router

View all products in Bug Search Tool Login Required

Known Affected Releases

15.2(4)M 15.2(4)S 15.3(3)M 15.4(2)S 15.4(2.1)T

Description (partial)

Symptom:
The dynamic L2L peer will successfully bring up, both phase-1 and phase-2 although the isakmp profile does not cater to this new peer.

Conditions:
IOS L2L end-point catering to dynamic peers, with a dynamic crypto map, under which we have:
a) an isakmp profile that does not match the isakmp identity of this new peer
b) no crypto ACL [i.e. no 'match address' statement]

Note: a crypto ACL can be configured under the dynamic map, that is either an exact or a super-set mirror image of the peer's crypto ACL, although this is not mandatory.

View Bug Details in Bug Search Tool Login Required

Why Is Login Required?

Bug details contain sensitive information and therefore require a Cisco.com account to be viewed.

Bug Details Include

Full Description (including symptoms, conditions and workarounds)
Status
Severity
Known Fixed Releases
Related Community Discussions
Number of Related Support Cases

Bug information is viewable for customers and partners who have a service contract. Registered users can view up to 200 bugs per month without a service contract.

Learn More About Cisco Service Contracts