Guest

Preview Tool

Cisco Bug: CSCvs25603 - ASA9.8 | Tunnel Flapping due to DHCP Relay With Dual ISP and Backup IPSEC Configuration

Last Modified

Dec 18, 2019

Products (1)

  • Cisco ASA 5500-X Series Firewalls

Known Affected Releases

9.8(4)

Description (partial)

Symptom:
The backup interface is receiving traffic even though the routing table points to the primary interface and the primary interface is up.
When the backup interface receives the packet, it is triggered to bring up the tunnel, thereby tearing down and deleting the present tunnel which was established by the primary interface.

Then the primary interface receives a packet, gets triggered and tears down the tunnel established by the backup interface.

The process continues thereby causing the tunnel to keep flapping.

Conditions:
DHCPRelayASA#
System IP Addresses:
Interface                Name                   IP address      Subnet mask     Method 
GigabitEthernet1/1       outside1               10.10.10.1   255.255.255.0   CONFIG
GigabitEthernet1/2       outside2               10.10.20.1   255.255.255.0   CONFIG
GigabitEthernet1/3       inside                 172.16.0.1        255.255.255.0   CONFIG
!
crypto map test 1 match address vpn
crypto map test 1 set peer 10.10.30.1 
crypto map test 1 set ikev1 transform-set test
crypto map test interface outside1
!
crypto map test2 1 match address vpn
crypto map test2 1 set peer 10.10.30.1 
crypto map test2 1 set ikev1 transform-set test
crypto map test2 interface outside2
!
access-list vpn extended permit ip 172.16.0.0 255.255.255.0 192.168.1.0 255.255.255.0

!
dhcprelay server 192.168.1.100 outside2
dhcprelay server 192.168.1.99 outside1
dhcprelay enable inside
dhcprelay timeout 60


PeerASA#
Interface                Name                   IP address      Subnet mask     Method 
GigabitEthernet1/1       outside                10.10.30.1   255.255.255.0   manual
GigabitEthernet1/2       inside                 192.168.1.1     255.255.255.0   manual
!
crypto map test 1 match address vpn
crypto map test 1 set peer 10.10.10.1 10.10.20.1 
crypto map test 1 set ikev1 transform-set test
crypto map test interface outside
!
access-list vpn extended permit ip 192.168.1.0 255.255.255.0 172.16.0.0 255.255.255.0




Debugs:
PeerASA# sh vpn-sessiondb detail l2l | in Dur
Duration     : 0h:01m:15s

!
[IKEv1]Group = 10.10.20.1, IP = 10.10.20.1, Session is being torn down. Reason: User Requested
Rule Lookup for local 192.168.1.0 to remote 172.16.0.0
Peer matched map test sequence 1
PROXY MATCH on crypto map test seq 1
Rule Lookup for local 192.168.1.0 to remote 172.16.0.0
Peer matched map test sequence 1
PROXY MATCH on crypto map test seq 1
!

PeerASA# sh vpn-sessiondb detail l2l | in Dur
Duration     : 0h:00m:03s


[IKEv1]Group = 10.10.10.1, IP = 10.10.10.1, Session is being torn down. Reason: User Requested
Rule Lookup for local 192.168.1.0 to remote 172.16.0.0
Peer matched map test sequence 1
PROXY MATCH on crypto map test seq 1
Rule Lookup for local 192.168.1.0 to remote 172.16.0.0
Peer matched map test sequence 1
PROXY MATCH on crypto map test seq 1
Bug details contain sensitive information and therefore require a Cisco.com account to be viewed.

Bug Details Include

  • Full Description (including symptoms, conditions and workarounds)
  • Status
  • Severity
  • Known Fixed Releases
  • Related Community Discussions
  • Number of Related Support Cases
Bug information is viewable for customers and partners who have a service contract. Registered users can view up to 200 bugs per month without a service contract.