Guest

Preview Tool

Cisco Bug: CSCvs62801 - Phase 1 not cleared on hsrp primary even when crypto enabled interface is shut

Last Modified

Nov 02, 2020

Products (1)

  • Cisco 2600 Series Multiservice Platforms

Known Affected Releases

15.5(3)S5.1

Description (partial)

Symptom:
An HSRP device with crypto map redundancy configured will delete phase 2 but not phase 1 when it transitions from primary to init.  This causes the IPSec SA to get deleted (but not the ISAKMP SA).  If the device goes back to active before DPD's tear down phase 1 (a quick shut/no shut of the wan interface for example) it will continue to respond to DPD's.  The other side will never delete phase 2, continue to send encrypted packets, and those packets will be dropped at the head end (because it deleted the IPSec SA when the failover event occurred).

Conditions:
Headend configured with HSRP and redundant crypto maps when a failover event occurs.
Bug details contain sensitive information and therefore require a Cisco.com account to be viewed.

Bug Details Include

  • Full Description (including symptoms, conditions and workarounds)
  • Status
  • Severity
  • Known Fixed Releases
  • Related Community Discussions
  • Number of Related Support Cases
Bug information is viewable for customers and partners who have a service contract. Registered users can view up to 200 bugs per month without a service contract.