Guest

Preview Tool

Cisco Bug: CSCvu52727 - IKEv2: IKEv2 SA stuck in DELETE after link flap

Last Modified

Jul 21, 2020

Products (1)

  • Cisco ASA 5500-X Series Firewalls

Known Affected Releases

9.12(3.100) 9.12(3.9)

Description (partial)

Symptom:
Pair of FP4145s running ASA code configured with VPN load balancing. 

When there is a link flap on the master (link flap on the outside interface), all the sessions that were on the master get disconnected (expected behavior).

Issue is that ALWAYS there is one random session getting stuck in DELETE state right after the flap occurs.
This stale entry is ALWAYS there (is never the same IP address) and we are unable to remove it (only reload removes it).

4145-ASA1# show crypto ikev2 sa

IKEv2 SAs:

Session-id:34524, Status:UP-IDLE, IKE count:1, CHILD count:0

Tunnel-id Local                                               Remote                                                  Status         Role
1590083277 x.0.0.11/500                                       y.0.36.4/500                                           DELETE    RESPONDER
      Encr: AES-CBC, keysize: 256, Hash: SHA256, DH Grp:14, Auth sign: RSA, Auth verify: RSA
      Life/Active Time: 86400/1535 sec

4145-ASA1#

Conditions:
ASAs in the VPN cluster are terminating thousands of RA-IKEv2 tunnels with certificate authentication.
Bug details contain sensitive information and therefore require a Cisco.com account to be viewed.

Bug Details Include

  • Full Description (including symptoms, conditions and workarounds)
  • Status
  • Severity
  • Known Fixed Releases
  • Related Community Discussions
  • Number of Related Support Cases
Bug information is viewable for customers and partners who have a service contract. Registered users can view up to 200 bugs per month without a service contract.