Guest

Preview Tool

Cisco Bug: CSCuw33713 - IKEv2: crypto iskamp identity auto doesn't work - DN not IKE ID but IP.

Last Modified

Nov 09, 2016

Products (1)

  • Cisco ASA 5500-X Series Firewalls

Known Affected Releases

9.4(1) 9.5(1)

Description (partial)

Symptom:
Despite the "crypto isakmp identity auto" the ASA does not send DN as IKE ID. It consistently sends IPv4 address.

As a result the peer identity verification fails.

Conditions:
1. IKEv2 L2L VPN

2. Certificate hierarchy:

ECDSA key root
ECDSA key sub
ECDSA key identity

OR

RSA key root
ECDSA key sub
ECDSA key identity


3. "crypto isakmp identity auto" enabled
Bug details contain sensitive information and therefore require a Cisco.com account to be viewed.

Bug Details Include

  • Full Description (including symptoms, conditions and workarounds)
  • Status
  • Severity
  • Known Fixed Releases
  • Related Community Discussions
  • Number of Related Support Cases
Bug information is viewable for customers and partners who have a service contract. Registered users can view up to 200 bugs per month without a service contract.