Cisco Bug: CSCvi22507 - IKEv1 RRI : With Answer-only Reverse Route gets deleted during Phase 1 rekey
Sep 13, 2019
- Cisco ASA 5500-X Series Firewalls
Known Affected Releases
9.1(7.21) 9.6(4) 9.8(2) 9.9(1.2)
Symptom: With the below configuration, when a Phase 1 rekey happens Reverse route gets deleted and not added back in the routing table. access-list VPN; 1 elements; name hash: 0x7edb8801 access-list VPN line 1 extended permit ip any4 192.168.2.0 255.255.255.0 (hitcnt=3) 0x954335d6 crypto map VPN 1 match address VPN crypto map VPN 1 set connection-type answer-only crypto map VPN 1 set peer 188.8.131.52 crypto map VPN 1 set ikev1 transform-set AES256-SHA crypto map VPN 1 set reverse-route When the tunnel comes up, we see the below route getting populated in the routing table however after the P1 rekey, it's deleted and never comes back up. V 192.168.2.0 255.255.255.0 connected by VPN (advertised), VPN Conditions: -With 'Answer-only' configuration and RRI enabled, this behavior is observed on the ASA.
Bug details contain sensitive information and therefore require a Cisco.com account to be viewed.
Bug Details Include
- Full Description (including symptoms, conditions and workarounds)
- Known Fixed Releases
- Related Community Discussions
- Number of Related Support Cases