Guest

Preview Tool

Cisco Bug: CSCuq63745 - ENH:ASA L2L-Configuring duplicate entries for same peer must throw error

Last Modified

Mar 02, 2018

Products (1)

  • Cisco ASA 5500-X Series Firewalls

Known Affected Releases

9.1(5.10)

Description (partial)

Symptom:
While configuring site-to-site tunnels, we currently allows the configuration of duplicate crypto map entries for the same peer as long as the crypto map sequence numbers are different. For example:

crypto map Outside_map 1 match address out_cryptomap
crypto map Outside_map 1 set peer 10.0.0.1
crypto map Outside_map 1 set ikev1 transform-set ESP-DES-SHA ESP-DES-MD5
crypto map Outside_map 2 match address out_cryptomap1
crypto map Outside_map 2 set peer 10.0.0.1
crypto map Outside_map 2 set ikev1 transform-set ESP-DES-SHA ESP-DES-MD5
crypto map Outside_map 65535 ipsec-isakmp dynamic SYSTEM_DEFAULT_CRYPTO_MAP
crypto map Outside_map interface outside

If a user attempts to configure this, throw an error to inform that a crypto map entry for that peer's IP address already exists.

Conditions:
ASA- any version.
Bug details contain sensitive information and therefore require a Cisco.com account to be viewed.

Bug Details Include

  • Full Description (including symptoms, conditions and workarounds)
  • Status
  • Severity
  • Known Fixed Releases
  • Related Community Discussions
  • Number of Related Support Cases
Bug information is viewable for customers and partners who have a service contract. Registered users can view up to 200 bugs per month without a service contract.