Cisco Bug: CSCvu52727 - IKEv2: IKEv2 SA stuck in DELETE after link flap
Jul 21, 2020
- Cisco ASA 5500-X Series Firewalls
Known Affected Releases
Symptom: Pair of FP4145s running ASA code configured with VPN load balancing. When there is a link flap on the master (link flap on the outside interface), all the sessions that were on the master get disconnected (expected behavior). Issue is that ALWAYS there is one random session getting stuck in DELETE state right after the flap occurs. This stale entry is ALWAYS there (is never the same IP address) and we are unable to remove it (only reload removes it). 4145-ASA1# show crypto ikev2 sa IKEv2 SAs: Session-id:34524, Status:UP-IDLE, IKE count:1, CHILD count:0 Tunnel-id Local Remote Status Role 1590083277 x.0.0.11/500 y.0.36.4/500 DELETE RESPONDER Encr: AES-CBC, keysize: 256, Hash: SHA256, DH Grp:14, Auth sign: RSA, Auth verify: RSA Life/Active Time: 86400/1535 sec 4145-ASA1# Conditions: ASAs in the VPN cluster are terminating thousands of RA-IKEv2 tunnels with certificate authentication.
Bug details contain sensitive information and therefore require a Cisco.com account to be viewed.
Bug Details Include
- Full Description (including symptoms, conditions and workarounds)
- Known Fixed Releases
- Related Community Discussions
- Number of Related Support Cases