Preview Tool

Cisco Bug: CSCuq37448 - Cisco ASA Failover IPSEC does not encrypt failover link

Last Modified

Apr 16, 2020

Products (1)

  • Cisco ASA 5500-X Series Firewalls

Known Affected Releases

9.1(2) 9.2(2)

Description (partial)

The use of failover key or failover ipsec <preshared key> do not encrypt messages going through the failover link. Failover link messages include
information about state of connection table and connection replication.

An attacker that is able to MitM the failover link could exploit this to manipulate or make inconsistent the information on the standby unit.

The fix is available only for failover ipsec preshared key configuration

This vulnerability was reported to Cisco by Alec STUART-MUIRK

Failover link needs to be configured.
Bug details contain sensitive information and therefore require a account to be viewed.

Bug Details Include

  • Full Description (including symptoms, conditions and workarounds)
  • Status
  • Severity
  • Known Fixed Releases
  • Related Community Discussions
  • Number of Related Support Cases
Bug information is viewable for customers and partners who have a service contract. Registered users can view up to 200 bugs per month without a service contract.