Guest

Preview Tool

Cisco Bug: CSCur95551 - ASA prefers Suite-B algorithms w/ AC Essentials enabled for AC IKEv2

Last Modified

Nov 08, 2016

Products (1)

  • Cisco ASA 5500-X Series Firewalls

Known Affected Releases

9.0(2) 9.1(5) 9.1(5.19) 9.2(2.4) 9.3(1)

Description (partial)

Symptom:
Currently, the ASA prefers a Suite-B algorithm during a AnyConnect IKEv2 "IKE_SA_INIT Exchange" with AC Essentials enabled. As per the following documents,

http://www.cisco.com/c/en/us/products/collateral/security/anyconnect-secure-mobility-client/qa_c67-712937.html
http://www.cisco.com/c/en/us/td/docs/security/vpn_client/anyconnect/anyconnect31/administration/guide/anyconnectadmin31/ac09localpolicy.html

To use Suite-B with AC IKev2 we need to have AC Premium License installed. So if customer is using Suite-B for Initial exchange for his L2L IKEv2 tunnels (configured on the same ASA that terminates AC IKEv2 connections), we always prefer the Suite-B algorithms for AC IKEv2 negotiation hence failing the connection due to AC Essentials license restriction. Also, the order of the IKEv2 policy seems to be ineffective in this case so even if we have a non-suiteB configured at the top of the list, it is not negotiated upon during the AC IKEv2 connection.

This is the error message we see on the ASA during the failure:

IKEv2-PLAT-1: Failed to create an IKEv2 Proposal because an AnyConnect Premium license is required to support an IKEv2 remote access connection using NSA Suite B algorithms
IKEv2-PLAT-1: unable to build ikev2 policy
IKEv2-PROTO-1: (7): Failed to locate an item in the database

On the AC client, this is the failure message:

Could not connect to server. Please verify Internet connectivity and server address.

Conditions:
#AC w/ IKEv2.
#ASA configured w/ Suite-B IKEv2 policies apart from non-SuiteB policies.
#AC Essentials enabled on the ASA.
Bug details contain sensitive information and therefore require a Cisco.com account to be viewed.

Bug Details Include

  • Full Description (including symptoms, conditions and workarounds)
  • Status
  • Severity
  • Known Fixed Releases
  • Related Community Discussions
  • Number of Related Support Cases
Bug information is viewable for customers and partners who have a service contract. Registered users can view up to 200 bugs per month without a service contract.