Guest

Preview Tool

Cisco Bug: CSCvu89552 - ASA IKEv2 allows tunnel up with both peers for same proxy while using backup peer.

Last Modified

Jul 06, 2020

Products (1)

  • Cisco ASA 5500-X Series Firewalls

Known Affected Releases

9.14(1.10)

Description (partial)

Symptom:
ASA is configured with back up peer configuration  for Ikev2 :

crypto map outside_map 4 match address vpn1
crypto map outside_map 4 set peer 10.106.67.243 10.106.67.249 
crypto map outside_map 4 set ikev2 ipsec-proposal AES192

If traffic is generated from remote end sourcing from both peers , ASA established ikev2 and ipsec for both peers for same proxy.


Session-id:13, Status:UP-ACTIVE, IKE count:1, CHILD count:1

Tunnel-id Local                                               Remote                                                  Status         Role
1014113657 10.106.56.156/500                                   10.106.67.243/500                                        READY    RESPONDER
      Encr: AES-CBC, keysize: 256, Hash: SHA96, DH Grp:5, Auth sign: PSK, Auth verify: PSK
      Life/Active Time: 86400/83 sec
Child sa: local selector  192.168.90.0/0 - 192.168.90.255/65535
          remote selector 192.168.1.0/0 - 192.168.1.255/65535
          ESP spi in/out: 0x1fda8972/0x6bf19fea  

IKEv2 SAs:

Session-id:14, Status:UP-ACTIVE, IKE count:1, CHILD count:1

Tunnel-id Local                                               Remote                                                  Status         Role
1020428909 10.106.56.156/500                                   10.106.67.249/500                                        READY    RESPONDER
      Encr: AES-CBC, keysize: 256, Hash: SHA96, DH Grp:5, Auth sign: PSK, Auth verify: PSK
      Life/Active Time: 86400/9 sec
Child sa: local selector  192.168.90.0/0 - 192.168.90.255/65535
          remote selector 192.168.1.0/0 - 192.168.1.255/65535
          ESP spi in/out: 0x6d3315dc/0x23191032  
ASA#


Whereas with ikev1 using same scenario old tunnel is cleared and debugs show the following log:
Jul 05 04:32:11 [IKEv1 DEBUG]Group = 10.106.67.249, IP = 10.106.67.249, Duplicate remote proxy (192.168.1.0/255.255.255.0) detected. Replacing old tunnel. Old peer: 10.106.67.243:500; New peer: 10.106.67.249:500

Conditions:
ASA (9.14 and above) is configured with back up peer configuration  for Ikev2.

ASA receives traffic to bring up tunnel from both peers.
Bug details contain sensitive information and therefore require a Cisco.com account to be viewed.

Bug Details Include

  • Full Description (including symptoms, conditions and workarounds)
  • Status
  • Severity
  • Known Fixed Releases
  • Related Community Discussions
  • Number of Related Support Cases
Bug information is viewable for customers and partners who have a service contract. Registered users can view up to 200 bugs per month without a service contract.