Guest

Preview Tool

Cisco Bug: CSCvv88017 - ASA: EasyVPN HW Client triggers duplicate phase 2 rekey causing disconnections across the tunnel

Last Modified

Oct 18, 2020

Products (1)

  • Cisco Adaptive Security Appliance (ASA) Software

Known Affected Releases

9.12(3.150)

Description (partial)

Symptom:
If IKEv1 phase 1 and phase 2 lifetime values match eventually (i.e. phase 1 every 24 hours and phase 2 every 8 hours, both will match during the third phase 2 rekey), the connections that were established across the VPN tunnel  may get disconnected (happens randomly). 

There are times in which phase 1 and phase 2 rekey are "simultaneous" and the connections across the tunnel are torn down. Any time this happens we can see that any IPSec SA which was rekeyed right after the phase 1 rekey will be negotiated successfully but after a few seconds the client triggers a phase 2 rekey again (only for the SAs which were rekeyed right after the P1 rekey).

We have the following event sequence on this case (time lapses and number of SAs can be different):

1. Phase 2 rekey for 2 out of 3 SAs are completed successfully 
2. Phase 1 rekey is triggered 25 seconds later, but it seems that it’s getting interrupted by the remaining SA Phase 2 rekey
3. Phase 2 rekey for the missing SA begins 
4. The phase 2 rekey is completed successfully, new SPI values. (According to the packet captures, traffic is exchanged using these SPI values) 3 seconds after that, we get the log that phase 1 rekey is also complete
5. A few seconds after that (less than 20), we can see that a new Phase 2 rekey is triggered by the client for the same SA which was rekeyed after the phase 1 rekey, and multiple SPI are received from the engine. Only one of them is taken at the end
6. The client sends a DELETE for the previous SPI values (the ones that were negotiated during the first phase 2 rekey)
7. Receive a DELETE from the EasyVPN server for the previous new SPI values
8. Soon after that, we can see that the connection across the tunnel is torn down with the reason "Tunnel has been torn down"

Connection in this case:

Teardown TCP connection 81017 for outside:10.2.42.4/61440 to inside:10.10.4.242/1720 duration 20:22:38 bytes 44533 Tunnel has been torn down


++Every time the issue happens (duplicate rekey causing the connection to be torn down) we can see the following log (logging class vpn and vpnc with debugging level should be enabled):

"%ASA-5-752016: IKEv1 was successful at setting up a tunnel.  Map Tag = _vpnc_cm. Map Sequence Number = 10."

Conditions:
++First seen on 5506 as an EasyVPN client, NEM enabled
Bug details contain sensitive information and therefore require a Cisco.com account to be viewed.

Bug Details Include

  • Full Description (including symptoms, conditions and workarounds)
  • Status
  • Severity
  • Known Fixed Releases
  • Related Community Discussions
  • Number of Related Support Cases
Bug information is viewable for customers and partners who have a service contract. Registered users can view up to 200 bugs per month without a service contract.