Preview Tool

Cisco Bug: CSCup32700 - FlexVPN spoke to spoke tunnels do not apply Authorization attributes

Last Modified

Apr 17, 2019

Products (84)

  • Cisco IOS
  • Cisco 812 CiFi Integrated Services Router
  • Cisco 819 Hardened Integrated Services Router
  • Cisco 881SRSTW Integrated Services Router
  • Cisco 892W Integrated Services Router
  • Cisco 886VA-CUBE Integrated Services Router
  • Cisco C897VA Integrated Services Router
  • Cisco 886VAG 3G Integrated Services Router
  • Cisco 2951 Integrated Services Router
  • Cisco VG204XM Analog Voice Gateway
View all products in Bug Search Tool Login Required

Known Affected Releases

15.3(3)M3 15.4(2)T1

Description (partial)

When building spoke to spoke tunnels the spokes always send aaa authorization requests to radius to obtain attributes, however they do not always apply the attributes to the configuration. Sometimes they do and sometimes they don't.

When building hub to spoke tunnels, the virtual-access interfaces on the hub always have the proper attributes from radius assigned to them.

Here is an example of a spoke to spoke tunnel that did honor the attributes:

*Jun 11 19:15:00.439: RADIUS: Received from id 1645/5, Access-Accept, len 129
*Jun 11 19:15:00.439: RADIUS:  User-Name           [1]   23  "spoke2.naaustin.local"
*Jun 11 19:15:00.439: RADIUS:   Cisco AVpair       [1]   48  "ip:interface-config=description Spoke to Spoke"

Derived configuration : 342 bytes
interface Virtual-Access1
 description Spoke to Spoke  <<<<<
 ip unnumbered GigabitEthernet0/0

Here is the same device with the same remote spoke tested again, and this time it did not honor the attributes, you can see there is no description on the interface.

*Jun 11 20:12:43.655: RADIUS: Received from id 1645/11, Access-Accept, len 129
*Jun 11 20:12:43.655: RADIUS:  User-Name           [1]   23  "spoke2.naaustin.local"
*Jun 11 20:12:43.655: RADIUS:   Cisco AVpair       [1]   48  "ip:interface-config=description Spoke to Spoke"

Derived configuration : 277 bytes
interface Virtual-Access1
 ip unnumbered GigabitEthernet0/0

FlexVPN utilizing Spoke to Spoke tunnels
AAA Authorization applied to IKEv2 profiles on spokes using radius
Bug details contain sensitive information and therefore require a account to be viewed.

Bug Details Include

  • Full Description (including symptoms, conditions and workarounds)
  • Status
  • Severity
  • Known Fixed Releases
  • Related Community Discussions
  • Number of Related Support Cases
Bug information is viewable for customers and partners who have a service contract. Registered users can view up to 200 bugs per month without a service contract.