Guest

Preview Tool

Cisco Bug: CSCvh83849 - DHCP Relay With Dual ISP and Backup IPSEC Tunnels Causes Flapping

Last Modified

Jul 26, 2019

Products (1)

  • Cisco ASA 5500-X Series Firewalls

Known Affected Releases

9.6(4)

Description (partial)

Symptom:
VPN tunnel will flap between primary interface and backup interface logging:

%ASA-5-713259: Group = 192.168.1.1, IP = 192.168.1.1, Session is being torn down. Reason: Peer Address Changed
%ASA-4-113019: Group = 192.168.1.1, Username = 192.168.1.1, IP = 192.168.1.1, Session disconnected. Session Type: LAN-to-LAN, Duration: 0h:11m:53s, Bytes xmt: 666, Bytes rcv: 56, Reason: Peer Address Changed

Conditions:
1)Dual ISPs that terminate on the ASA
AND
2) IPSEC VPN tunnel (crypto map applied to both WAN itnerfaces)
  2a) Crypto map has same remote/local networks (usually same acl used)
AND
3) DHCPRelay servers configured on both WAN interfaces.  ex)

dhcprelay server 192.168.1.1 primary-wan
dhcprelay server 192.168.2.2 backup-wan
Bug details contain sensitive information and therefore require a Cisco.com account to be viewed.

Bug Details Include

  • Full Description (including symptoms, conditions and workarounds)
  • Status
  • Severity
  • Known Fixed Releases
  • Related Community Discussions
  • Number of Related Support Cases
Bug information is viewable for customers and partners who have a service contract. Registered users can view up to 200 bugs per month without a service contract.