Cisco Bug: CSCvs62801 - Phase 1 not cleared on hsrp primary even when crypto enabled interface is shut
May 15, 2020
- Cisco IOS
Known Affected Releases
Symptom: An HSRP device with crypto map redundancy configured will delete phase 2 but not phase 1 when it transitions from primary to init. This causes the IPSec SA to get deleted (but not the ISAKMP SA). If the device goes back to active before DPD's tear down phase 1 (a quick shut/no shut of the wan interface for example) it will continue to respond to DPD's. The other side will never delete phase 2, continue to send encrypted packets, and those packets will be dropped at the head end (because it deleted the IPSec SA when the failover event occurred). Conditions: Headend configured with HSRP and redundant crypto maps when a failover event occurs.
Bug details contain sensitive information and therefore require a Cisco.com account to be viewed.
Bug Details Include
- Full Description (including symptoms, conditions and workarounds)
- Known Fixed Releases
- Related Community Discussions
- Number of Related Support Cases