Guest

Preview Tool

Cisco Bug: CSCvu65688 - IKEv2 CAC "Active SAs" counter out of sync with the real number of sessions despite CSCvt98599

Last Modified

Sep 11, 2020

Products (1)

  • Cisco ASA 5500-X Series Firewalls

Known Affected Releases

9.12(3.12)

Description (partial)

Symptom:
On the ASA IKEv2 Call Admission Statistics "Active SAs" counter can go out of sync with the real number of IKEv2 sessions as shown by the "show vpn-sessiondb". When the CAC "Active SAs" counter reaches platform limit, new sessions cannot be established and the following syslog message is generated:

%ASA-4-751015: Local:0.0.0.0:0 Remote:0.0.0.0:0 Username:Unknown IKEv2 SA request rejected by CAC. Reason: SA LIMIT REACHED

Conditions:
This can happen after a failover event if Failover State link is up and fully operational. All ASA versions are affected.
Bug details contain sensitive information and therefore require a Cisco.com account to be viewed.

Bug Details Include

  • Full Description (including symptoms, conditions and workarounds)
  • Status
  • Severity
  • Known Fixed Releases
  • Related Community Discussions
  • Number of Related Support Cases
Bug information is viewable for customers and partners who have a service contract. Registered users can view up to 200 bugs per month without a service contract.