Guest

Preview Tool

Cisco Bug: CSCvv46240 - AnyConnect fails to authenticate on the IOS-XE headend using EAP-MD5 protocol

Last Modified

Sep 01, 2020

Products (1)

  • Cisco ASR 1000 Series Aggregation Services Routers

Known Affected Releases

16.6.3 17.2.1r

Description (partial)

Symptom:
AnyConnect clients cannot connect to IOS-XE based headend with the error "The IPSec VPN connection has terminated due to an authentication failure or timeout. Please contact your network administrator".
EAP user authentication succeeds. Radius server sends "Access-Accept".
Debug logs on the router contain the following messages:

IKEv2:(SESSION ID = 17,SA ID = 1):Verify peer's authentication data
IKEv2:(SESSION ID = 17,SA ID = 1):Use preshared key for id peerid, key len 20
IKEv2:(SESSION ID = 17,SA ID = 1):[IKEv2 -> Crypto Engine] Generate IKEv2 authentication data
crypto_engine: Generate IKEv2 auth
IKEv2:(SESSION ID = 17,SA ID = 1):[Crypto Engine -> IKEv2] IKEv2 authentication data generation PASSED
IKEv2-INTERNAL:(SESSION ID = 17,SA ID = 1):Computing AUTH data to authenticate Peer, error = 1
IKEv2-INTERNAL:(SESSION ID = 17,SA ID = 1):Peer AUTH WITHOUT PPK is used to Compare
IKEv2-INTERNAL:(SESSION ID = 17,SA ID = 1):Computed authentication value for peer differs from what peer sent
IKEv2-ERROR:(SESSION ID = 17,SA ID = 1):: Failed to authenticate the IKE SA
IKEv2-INTERNAL:(SESSION ID = 17,SA ID = 1):SM Trace-> SA: I_SPI=901F53080C73A775 R_SPI=E9C1DB0E00C65ABF (R) MsgID = 4 CurState: R_VERIFY_AUTH Event: EV_AUTH_FAIL
IKEv2:(SESSION ID = 17,SA ID = 1):Verification of peer's authentication data FAILED

Conditions:
AnyConnect
IKEv2 using EAP-MD5 authentication
IOS-XE
Bug details contain sensitive information and therefore require a Cisco.com account to be viewed.

Bug Details Include

  • Full Description (including symptoms, conditions and workarounds)
  • Status
  • Severity
  • Known Fixed Releases
  • Related Community Discussions
  • Number of Related Support Cases
Bug information is viewable for customers and partners who have a service contract. Registered users can view up to 200 bugs per month without a service contract.