Guest

Preview Tool

Cisco Bug: CSCus89013 - Multiple Child SAs created

Last Modified

Nov 09, 2016

Products (1)

  • Cisco ASA 5500-X Series Firewalls

Known Affected Releases

9.3(2)

Description (partial)

Symptom:
Multiple Child SA creatted

BXB-3-5520-ASA3(config)# show crypto isakmp sa

There are no IKEv1 SAs

IKEv2 SAs:

Session-id:65, Status:UP-ACTIVE, IKE count:1, CHILD count:903

Tunnel-id                 Local                Remote     Status         Role
162705863          80.1.1.1/500          70.1.1.1/500      READY    RESPONDER
      Encr: AES-CBC, keysize: 256, Hash: SHA96, DH Grp:5, Auth sign: PSK, Auth verify: PSK
      Life/Active Time: 86400/5804 sec
Child sa: local selector  90.1.1.11/0 - 90.1.1.11/65535
          remote selector 60.1.1.11/0 - 60.1.1.11/65535
          ESP spi in/out: 0x3c02014/0x23cc61ca
Child sa: local selector  90.1.1.11/0 - 90.1.1.11/65535
          remote selector 60.1.1.11/0 - 60.1.1.11/65535
          ESP spi in/out: 0x755d4447/0x1f426716
Child sa: local selector  90.1.1.11/0 - 90.1.1.11/65535
          remote selector 60.1.1.11/0 - 60.1.1.11/65535
          ESP spi in/out: 0xb196ff93/0x9fbacd9c
Child sa: local selector  90.1.1.11/0 - 90.1.1.11/65535
          remote selector 60.1.1.11/0 - 60.1.1.11/65535
          ESP spi in/out: 0xba728d67/0x6e159e3d
Child sa: local selector  90.1.1.11/0 - 90.1.1.11/65535
          remote selector 60.1.1.11/0 - 60.1.1.11/65535
          ESP spi in/out: 0xec951076/0x4d20bdd6
Child sa: local selector  90.1.1.11/0 - 90.1.1.11/65535
          remote selector 60.1.1.11/0 - 60.1.1.11/65535
          ESP spi in/out: 0x80dc69fe/0x9a072e95
Child sa: local selector  90.1.1.11/0 - 90.1.1.11/65535
          remote selector 60.1.1.11/0 - 60.1.1.11/65535
          ESP spi in/out: 0xc719b56e/0xf1e350a3
Child sa: local selector  90.1.1.11/0 - 90.1.1.11/65535
          remote selector 60.1.1.11/0 - 60.1.1.11/65535
          ESP spi in/out: 0x4ebdbb5d/0x89d5e9c2

Conditions:
Create a crypto map with two sequence number and then try to connect via 2nd sequence number. Make 1st sequence number not matching on both peers
Bug details contain sensitive information and therefore require a Cisco.com account to be viewed.

Bug Details Include

  • Full Description (including symptoms, conditions and workarounds)
  • Status
  • Severity
  • Known Fixed Releases
  • Related Community Discussions
  • Number of Related Support Cases
Bug information is viewable for customers and partners who have a service contract. Registered users can view up to 200 bugs per month without a service contract.