Guest

Preview Tool

Cisco Bug: CSCvv09396 - Stale VPN routes for L2TP, after the session was terminated

Last Modified

Oct 06, 2020

Products (1)

  • Cisco ASA 5500-X Series Firewalls

Known Affected Releases

9.12(3) 9.14(1)

Description (partial)

Symptom:
Ex:
Check the routing table:
..
V 10.0.98.77 255.255.255.255 connected by VPN (advertised), outside
..

- But there is no sessions for that IP, no entries in uauth table, and IP is available in ip-pool.

Next user that is getting assigned with that IP, for which we have that stale route is affected:
# packet tracer input inside icmp <local_host> 8 0 <AnyConnect_IP> detailed
...
Phase: 11
Type: ACCESS-LIST
Subtype: filter-aaa
Result: DROP
Config:
Additional Information:
Forward Flow based lookup yields rule:
out id=0x7f6d70accf30, priority=12, domain=filter-aaa, deny=true
hits=1449, user_data=0x7f6d65218300, filter_id=0x0(-implicit deny-), protocol=0
src ip=0.0.0.0, mask=0.0.0.0, port=0
dst ip=0.0.0.0, mask=0.0.0.0, port=0
Result:
input-interface: inside
input-status: up
input-line-status: up
output-interface: outside
output-status: up
output-line-status: up
Action: drop
Drop-reason: (acl-drop) Flow is denied by configured rule

Conditions:
ASA, standalone, local users auth, local ip-pool
Bug details contain sensitive information and therefore require a Cisco.com account to be viewed.

Bug Details Include

  • Full Description (including symptoms, conditions and workarounds)
  • Status
  • Severity
  • Known Fixed Releases
  • Related Community Discussions
  • Number of Related Support Cases
Bug information is viewable for customers and partners who have a service contract. Registered users can view up to 200 bugs per month without a service contract.