Guest

Preview Tool

Cisco Bug: CSCvu00832 - IKE session with certificate flaps during key regeneration

Last Modified

Sep 10, 2020

Products (20)

  • Cisco IOS
  • Cisco 4221 Integrated Services Router
  • Cisco ASR 1000 Series IOS XE SD-WAN
  • Cisco 1101 Industrial Integrated Services Router
  • Cisco 4331 Integrated Services Router
  • Cisco 4431 Integrated Services Router
  • Cisco 4321 Integrated Services Router
  • Cisco ASR 1002-X Router
  • Cisco ASR 1001-X Router
  • Cisco 4451-X Integrated Services Router
View all products in Bug Search Tool Login Required

Known Affected Releases

16.12.3

Description (partial)

Symptom:
IKE Session flaps after certificate renewal

In debug we can find that after new certificate installation IPSEC SA is deleted
Apr  1 16:15:22.845: %PKI-6-CERT_INSTALL: An ID certificate has been installed under
Apr  1 16:15:22.846: %PKI-1-CERT_EXPIRY_ALERT: ID Certificate belonging to trustpoint DMVPN-CA will expire in 0 Days 0 hours 10 
Apr  1 16:15:22.846: CRYPTO_PKI: Trustpoint DMVPN-CA enroll in process - no need to set renew timer
Apr  1 16:15:22.846: CRYPTO_PKI: All enrollment requests completed for trustpoint DMVPN-CA.
Apr  1 16:15:22.846: CRYPTO_PKI: All enrollment requests completed for trustpoint DMVPN-CA.
Apr  1 16:15:22.846: CRYPTO_PKI:removing superceded cert serial #: 30
Apr  1 16:15:22.846: %CRYPTO_ENGINE-5-KEY_DELETED: A key named POC-VPN has been removed from key storage
Apr  1 16:15:22.846: ISAKMP: (1003):Schedule to delete SA 198.51.100.140:4500 dst 203.0.113.144:4500  fvrf 0x5, ivrf 0x5 in 60 seconds
Apr  1 16:15:22.846: CRYPTO_PKI: Key Rollover - Switched from keypair POC-VPN# to POC-VPN
Apr  1 16:15:22.846: CRYPTO_PKI: All enrollment requests completed for trustpoint DMVPN-CA.
Apr  1 16:15:22.846: %PKI-6-AUTOSAVE: Running configuration saved to NVRAM
Apr  1 16:15:22.891: IPSEC(key_engine): got a queue event with 1 KMI message(s)
Apr  1 16:15:22.891: IPSEC(delete_sa): deleting SA,

Debugs enabled
debug crypto isakmp
debug crypto ipsec
debug crypto ipsec message
debug crypto ipsec states
debug crypto isakmp error
debug crypto pki transactions
debug crypto pki message

Conditions:
IPSEC VPN tunnel with certificate authentication - IKEv1 Certificate renewal using SCEP
Bug details contain sensitive information and therefore require a Cisco.com account to be viewed.

Bug Details Include

  • Full Description (including symptoms, conditions and workarounds)
  • Status
  • Severity
  • Known Fixed Releases
  • Related Community Discussions
  • Number of Related Support Cases
Bug information is viewable for customers and partners who have a service contract. Registered users can view up to 200 bugs per month without a service contract.