Guest

Preview Tool

Cisco Bug: CSCvv35941 - FlexVPN-AnyConnect unable to establish tunnel if same protocol for Integrity and PRF is not used

Last Modified

Sep 15, 2020

Products (1)

  • Cisco AnyConnect Secure Mobility Client

Known Affected Releases

4.9(1095)

Description (partial)

Symptom:
Having different protocols for INTEGRITY and PRF on the IKEv2 proposal will cause AnyConnect to not complete the connection.

For instance, if we have the SHA256 for Integrity and SHA384 for PRF, we will see the "Phase I" to complete, but when we enter the credentials of the user, the AnyConnect will terminate the connection with the error (DART): "  Negotiation aborted due to ERROR: Failed to authenticate the IKE SA"

The curious part is that the tunnel is established on the Router side:

    Tunnel-id Local                 Remote                fvrf/ivrf            Status 
  1         IP_router/4500    IP_remoteUSer/60029    none/none            READY  
        Encr: AES-CBC, keysize: 256, PRF: SHA384, Hash: SHA256, DH Grp:20, Auth sign: RSA, Auth verify: AnyConnect-EAP
        Life/Active Time: 86400/45 sec

This issue is not happening on the Cisco firewalls (ASA/FTD), as we can establish an IKEv2 connection from AnyConnect using different protocols for INTEGRITY and PRF.

Also, we can establish S2S tunnels using different protocols, so this issue is certainly on the Router specific with the  FlexVPN-AnyConnect functionality. This issue is seen on all AC versions (being 4.9 the latest).

Conditions:
Having different protocols for Integrity and PRF such as:

ISR#sh crypto ikev2 proposal 
 IKEv2 proposal: default 
     Integrity  : SHA256
     PRF        : SHA384
Bug details contain sensitive information and therefore require a Cisco.com account to be viewed.

Bug Details Include

  • Full Description (including symptoms, conditions and workarounds)
  • Status
  • Severity
  • Known Fixed Releases
  • Related Community Discussions
  • Number of Related Support Cases
Bug information is viewable for customers and partners who have a service contract. Registered users can view up to 200 bugs per month without a service contract.