Guest

Preview Tool

Cisco Bug: CSCvi22507 - IKEv1 RRI : With Answer-only Reverse Route gets deleted during Phase 1 rekey

Last Modified

Aug 21, 2019

Products (1)

  • Cisco ASA 5500-X Series Firewalls

Known Affected Releases

9.1(7.21) 9.6(4) 9.8(2) 9.9(1.2)

Description (partial)

Symptom:
With the below configuration, when a Phase 1 rekey happens Reverse route gets deleted and not added back in the routing table.

access-list VPN; 1 elements; name hash: 0x7edb8801
access-list VPN line 1 extended permit ip any4 192.168.2.0 255.255.255.0 (hitcnt=3) 0x954335d6


crypto map VPN 1 match address VPN
crypto map VPN 1 set connection-type answer-only
crypto map VPN 1 set peer 1.1.1.2
crypto map VPN 1 set ikev1 transform-set AES256-SHA
crypto map VPN 1 set reverse-route

When the tunnel comes up, we see the below route getting populated in the routing table however after the P1 rekey, it's deleted and never comes back up.

V        192.168.2.0 255.255.255.0 connected by VPN (advertised), VPN

Conditions:
-With 'Answer-only' configuration and RRI enabled, this behavior is observed on the ASA.
Bug details contain sensitive information and therefore require a Cisco.com account to be viewed.

Bug Details Include

  • Full Description (including symptoms, conditions and workarounds)
  • Status
  • Severity
  • Known Fixed Releases
  • Related Community Discussions
  • Number of Related Support Cases
Bug information is viewable for customers and partners who have a service contract. Registered users can view up to 200 bugs per month without a service contract.