Preview Tool

Cisco Bug: CSCvu14823 - Crash on IOS-XE router when authenticating expired IPSec peer certificate

Last Modified

Sep 10, 2020

Products (14)

  • Cisco IOS
  • Cisco 4221 Integrated Services Router
  • Cisco ASR 1000 Series IOS XE SD-WAN
  • Cisco 4321 Integrated Services Router
  • Cisco 4331 Integrated Services Router
  • Cisco ASR 1002-X Router
  • Cisco ASR 1001-X Router
  • Cisco 4351 Integrated Services Router
  • Cisco ISR 4000 Series IOS XE SD-WAN
  • Cisco ISR 1000 Series IOS XE SD-WAN
View all products in Bug Search Tool Login Required

Known Affected Releases

16.9.4 16.9.5

Description (partial)

Crash after IOS-XE router attempts to establish an IPSec tunnel and fails to verify the validity of the peer due to expired cert received. The following logs are seen before the crash:

%PKI-3-CERTIFICATE_INVALID_EXPIRED: Certificate chain validation has failed.  The certificate (SN: <here goes the cert SN>) has expired.    Validity period ended on <expiration date>
%CRYPTO-5-IKMP_INVAL_CERT: Certificate received from <peer_IP> is bad: CA request failed!

We see a crash in the following process:

UNIX-EXT-SIGNAL: Segmentation fault(11), Process = Crypto PKI-CRL

The conditions known are: 
* Router is reloaded. 
* After boot up the router attempts to establish IPSec tunnel with peer and authenticates with PKI cert. 
* The router fails to validate the peer's cert because it is expired. 
* The router crashes.
Bug details contain sensitive information and therefore require a account to be viewed.

Bug Details Include

  • Full Description (including symptoms, conditions and workarounds)
  • Status
  • Severity
  • Known Fixed Releases
  • Related Community Discussions
  • Number of Related Support Cases
Bug information is viewable for customers and partners who have a service contract. Registered users can view up to 200 bugs per month without a service contract.