Cisco Bug: CSCvs88829 - ENH: ASA should support IKEv2 AnyConnect connections when they come from the same IP as a VTI peer
Apr 14, 2020
- Cisco ASA 5500-X Series Firewalls
Known Affected Releases
Symptom: !----- This is an ENHANCEMENT Request -----! Implementation of VTI in ASA has the following guideline: "VTI and crypto map configurations can co-exist on the same physical interface, provided the peer address configured in the crypto map and the tunnel destination for the VTI are different." https://www.cisco.com/c/en/us/td/docs/security/asa/asa913/configuration/vpn/asa-913-vpn-config/vpn-vti.html#id_42759 Scenario: ASA1 ======= ASA2--- AC user There is an IKEv2 S2S tunnel between ASA1 and ASA2 using IKEv2 VTIs, and there is an AC user behind ASA2 (traffic will be NATed with ASA2 public IP address) configured to connect with IKEv2 to ASA1. What will happen is that the AC IKEv2 connection will come with the same IP address than the configured on the ASA1 VTI; however, the AC IKEv2 implementation requires the traffic to be processed by the Dynamic CM, therefore we are violating the above Guideline/Limitation basically. The IKEv2 tunnel with the AC user will come up, but the VTI will process the tunnel establishment (Dynamic CM must do it) and that will cause the Traffic Selectors to be negotiated incorrectly. The problem will come when the AC user disconnects, causing the VTI to go down tearing also the S2S tunnel established on the VTI between the 2 ASAs. This is an Enhancement Request to support the above scenario, which will require to add the capability on the ASA to distinguish this is an AC IKEv2 connection so it can be forwarded to the Dynamic Crypto Map instead of being processed on the VTI. Conditions: AC IKev2 connection coming with the same IP address defined in the VTI tunnel destination.
Bug details contain sensitive information and therefore require a Cisco.com account to be viewed.
Bug Details Include
- Full Description (including symptoms, conditions and workarounds)
- Known Fixed Releases
- Related Community Discussions
- Number of Related Support Cases