Guest

Preview Tool

Cisco Bug: CSCvt98599 - IKEv2 Call Admission Statistics "Active SAs" counter out of sync with the real number of sessions

Last Modified

Sep 17, 2020

Products (1)

  • Cisco ASA 5500-X Series Firewalls

Known Affected Releases

9.6(4.25)

Description (partial)

Symptom:
On the ASA IKEv2 Call Admission Statistics "Active SAs" counter can go out of sync with the real number of IKEv2 sessions as shown by the "show vpn-sessiondb". When the CAC "Active SAs" counter reaches platform limit, new sessions cannot be established and the following syslog message is generated:

%ASA-4-751015: Local:0.0.0.0:0 Remote:0.0.0.0:0 Username:Unknown IKEv2 SA request rejected by CAC. Reason: SA LIMIT REACHED

Conditions:
This can happen after a failover event and if Failover State link is down. All ASA versions are affected.
Bug details contain sensitive information and therefore require a Cisco.com account to be viewed.

Bug Details Include

  • Full Description (including symptoms, conditions and workarounds)
  • Status
  • Severity
  • Known Fixed Releases
  • Related Community Discussions
  • Number of Related Support Cases
Bug information is viewable for customers and partners who have a service contract. Registered users can view up to 200 bugs per month without a service contract.