Guest

Preview Tool

Cisco Bug: CSCvs70260 - IKEv2 vpn-filter drops traffic with implicit deny after volume based rekey collision

Last Modified

Jun 25, 2020

Products (1)

  • Cisco ASA 5500-X Series Firewalls

Known Affected Releases

9.12(3) 9.8(4.15) 9.8(4.8)

Description (partial)

Symptom:
Traffic stops flowing over VPN after some time.
"show crypto ipsec sa" shows IPSEC SA is established.
"show vpn-sessiondb detail l2l" shows VPN is established and vpn-filter is applied.
"show asp drop" shows "Flow is denied by configured rule (acl-drop)" increasing.
Packet-tracer / capture with trace shows:

Phase: 6
Type: ACCESS-LIST
Subtype: filter-aaa
Result: DROP
Config:
Additional Information:
 Forward Flow based lookup yields rule:
 out id=0x7fd1dd44e830, priority=12, domain=filter-aaa, deny=true
    hits=42832, user_data=0x7fd1d62bf280, filter_id=0x0(-implicit deny-), protocol=0
    src ip=0.0.0.0, mask=0.0.0.0, port=0
    dst ip=0.0.0.0, mask=0.0.0.0, port=0

"show asp table filter" shows only implict-deny rules, while there should be rules from the vpn-filter ACL:

Global Filter Table:
in  id=0x7f6dc1e351d0, priority=12, domain=filter-aaa, deny=true
	hits=1221, user_data=0x7f6dba59c6c0, filter_id=0x0(-implicit deny-), protocol=0
	src ip=0.0.0.0, mask=0.0.0.0, port=0
	dst ip=0.0.0.0, mask=0.0.0.0, port=0
in  id=0x7f6dc1e35910, priority=12, domain=filter-aaa, deny=true
	hits=0, user_data=0x7f6dba59c540, filter_id=0x0(-implicit deny-), protocol=0
	src ip=::/0, port=0
	dst ip=::/0, port=0
out id=0x7f6dc1e35570, priority=12, domain=filter-aaa, deny=true
	hits=0, user_data=0x7f6dba59c600, filter_id=0x0(-implicit deny-), protocol=0
	src ip=0.0.0.0, mask=0.0.0.0, port=0
	dst ip=0.0.0.0, mask=0.0.0.0, port=0
out id=0x7f6dc1e35ce0, priority=12, domain=filter-aaa, deny=true
	hits=0, user_data=0x7f6dba59c480, filter_id=0x0(-implicit deny-), protocol=0
	src ip=::/0, port=0
	dst ip=::/0, port=0

Last clearing of hits counters: Never

Conditions:
IKEv2 L2L
VPN filter applied in group-policy.
Symmetric traffic (similar number of data in and out).
Volume based rekey enabled - default.
Bug details contain sensitive information and therefore require a Cisco.com account to be viewed.

Bug Details Include

  • Full Description (including symptoms, conditions and workarounds)
  • Status
  • Severity
  • Known Fixed Releases
  • Related Community Discussions
  • Number of Related Support Cases
Bug information is viewable for customers and partners who have a service contract. Registered users can view up to 200 bugs per month without a service contract.