BugZero | Cisco BugID CSCvc12306 - Limit ike-init queue to improve performance in sca...

Loading...

Operational Defect Database

A free repository of operational (non-security) bugs centralized through custom integrations with leading IT vendors.

Product

Enterprise platform
Bug Scrub Advisor
Operational Risk Scoring
Vendor Integrations

Company

Plans
Value Guide
About
Contact us

Resources

Blog
ServiceNow App
Trust Center
Risk Management
NIST
DORA

Operational Defect Database

A free repository of operational (non-security) bugs centralized through custom integrations with leading IT vendors.

Product

Enterprise platform
Bug Scrub Advisor
Operational Risk Scoring
Vendor Integrations

Company

Plans
Value Guide
About
Contact us

Resources

Blog
ServiceNow App
Trust Center
Risk Management
NIST
DORA

©2025 BugZero. All Rights Reserved.

Privacy Policy Terms of Service

BugZero | Cisco BugID CSCvc12306 - Limit ike-init queue to improve performance in sca...

ODD
Cisco
CSCvc12306

Cisco - Defect ID: CSCvc12306

Limit ike-init queue to improve performance in scaled scenarios

ODD
Cisco
CSCvc12306

Cisco - Defect ID: CSCvc12306

Limit ike-init queue to improve performance in scaled scenarios

Last updated on April 26th, 2025

BugZero Risk Score
6.1 Medium

Overall: 6.1

Severity: 6.4

Lifecycle: 9.1

Popularity: 5.1

What is the BugZero Risk Score?

Cisco Integration

Learn more about where this data comes from

Cisco Integration

Bug Scrub Advisor

Streamline upgrades with automated vendor bug scrubs

Bug Scrub Advisor

BugZero Enterprise

Wish you caught this bug sooner? Get proactive today.

BugZero Enterprise

Bug Details

Views: 2

Description

Symptom

In large scale IKEv2 deployments, IKEv2 clients might not be able to connect. Issue would most likely occur after the router is reloaded or after some kind of failure in the path between the IKEv2 router and the clients.

Conditions

1) High rate of incoming IKEv2 INIT packets. (normally after a reboot of router or path failure between router and it's peers) 2) Seeing build up of packets in LOW queue (this is where IKEv2 INIT packets are queued) SIZE=current count of packets in the queue PEAK=high water mark of the queue size Router#show crypto ikev2 stats priority-queue ---------------------------------------------------- IKEV2 PRIORITY QUEUE SIZE PEAK ---------------------------------------------------- HIGHEST 0 11 HIGHER 0 5 HIGH 0 91 NORMAL 0 7 LOW 0 211680 <<<<This is abnormally large LOWER 0 0 LOWEST 0 26 3) There will likely be high CPU in IKEv2 process during this time while the router is processing packets from the queue

Workaround

1) Use an ACL or control plane policing to limit the rate of incoming IKE INIT packets such that the LOW queue does not continue to grow/climb.

Further Problem Description

This bug adds a CLI command to limit the queue size for IKEv2 INIT packets. The problem is that the RP in IOS-XE (IKEv2 process) can only service this queue at a given rate (the CPU speed and other process burdens determines this). If the rate of incoming IKEv2 INIT packets is faster than the rate at which the IKEv2 process can service the queue, we reach a tipping point where the queue will become hopelessly large. By the time the router gets to respond to a particular IKEv2 INIT from the queue, so much time has passed that the response is dropped by the initiating client (due to timeout). This issue starts to compound because the clients are likely continuing to send INIT packets to attempt to establish the tunnel. IKEv2 CAC does not solve this problem.

Change history

2025-04-26 Added: 16.10.1, 16.10.1a, 16.10.1b, 16.10.1c, 16.10.1d, 16.10.1e, 16.10.1f, 16.10.1g, 16.10.1i, 16.10.1s, 16.10.2, 16.10.3, 16.11.1, 16.11.1a, 16.11.1b, 16.11.1c, 16.11.1s, 16.11.2, 16.12.1, 16.12.10, 16.12.10a, 16.12.1a, 16.12.1c, 16.12.1s, 16.12.1t, 16.12.1v, 16.12.1w, 16.12.1x, 16.12.1y, 16.12.1z, 16.12.1z1, 16.12.1z2, 16.12.2, 16.12.2a, 16.12.2s, 16.12.2t, 16.12.3, 16.12.3a, 16.12.3s, 16.12.4, 16.12.4a, 16.12.5, 16.12.5a, 16.12.5b, 16.12.6, 16.12.6a, 16.12.7, 16.12.8, 16.12.9, 16.3.10, 16.3.11, 16.3.5, 16.3.5a, 16.3.5b, 16.3.5c, 16.3.6, 16.3.7, 16.3.8, 16.3.9, 16.4.3, 16.5.1, 16.5.1a, 16.5.1b, 16.5.2, 16.5.3, 16.6.1, 16.6.10, 16.6.1a, 16.6.2, 16.6.2s, 16.6.3, 16.6.4, 16.6.4a, 16.6.4s, 16.6.5, 16.6.5a, 16.6.5b, 16.6.6, 16.6.7, 16.6.7a, 16.6.8, 16.6.9, 16.7.1, 16.7.1a, 16.7.1b, 16.7.2, 16.7.3, 16.7.4, 16.8.1, 16.8.1a, 16.8.1b, 16.8.1c, 16.8.1d, 16.8.1e, 16.8.1s, 16.8.2, 16.8.3, 16.9.1, 16.9.1a, 16.9.1b, 16.9.1c, 16.9.1d, 16.9.1s, 16.9.2, 16.9.2a, 16.9.2s, 16.9.3, 16.9.3a, 16.9.3h, 16.9.3s, 16.9.4, 16.9.4c, 16.9.5, 16.9.5f, 16.9.6, 16.9.7, 16.9.8, 16.9.8a, 16.9.8b, 17.05.01c, 17.1.1, 17.1.1a, 17.1.1s, 17.1.1t, 17.1.2, 17.1.3, 17.10.1, 17.10.1a, 17.10.1b, 17.11.1, 17.11.1a, 17.12.02a, 17.12.1, 17.12.1a, 17.12.1w, 17.12.1x, 17.12.2, 17.12.2a, 17.2.1, 17.2.1LA, 17.2.1a, 17.2.1r, 17.2.1v, 17.2.2, 17.2.3, 17.3.1, 17.3.1a, 17.3.1w, 17.3.1x, 17.3.1z, 17.3.2, 17.3.2a, 17.3.3, 17.3.3a, 17.3.4, 17.3.4a, 17.3.4b, 17.3.4c, 17.3.5, 17.3.5a, 17.3.5b, 17.3.6, 17.3.7, 17.3.8, 17.3.8a, 17.4.1, 17.4.1a, 17.4.1b, 17.4.1c, 17.4.2, 17.4.2a, 17.5.1, 17.5.1a, 17.5.1b, 17.5.1c, 17.6.1, 17.6.1a, 17.6.1w, 17.6.1x, 17.6.1y, 17.6.1z, 17.6.1z1, 17.6.2, 17.6.3, 17.6.3a, 17.6.4, 17.6.5, 17.6.5a, 17.6.6, 17.6.6a, 17.7.1, 17.7.1a, 17.7.1b, 17.7.2, 17.8.1, 17.8.1a, 17.9.1, 17.9.1a, 17.9.1w, 17.9.1x, 17.9.1x1, 17.9.1y, 17.9.1y1, 17.9.2, 17.9.2a, 17.9.3, 17.9.3a, 17.9.4, 17.9.4a, 17.9.5, Denali-16.3.5, Everest-16.5.1

Relevant Products

Click on a version to see all relevant bugs

Affected versions:No known affected versions

Fixed versions: 16.10.1, 16.10.1a, 16.10.1b, 16.10.1c, 16.10.1d, 16.10.1e, 16.10.1f, 16.10.1g, 16.10.1i, 16.10.1s, 16.10.2, 16.10.3, 16.11.1, 16.11.1a, 16.11.1b, 16.11.1c, 16.11.1s, 16.11.2, 16.12.1, 16.12.10, 16.12.10a, 16.12.1a, 16.12.1c, 16.12.1s, 16.12.1t, 16.12.1v, 16.12.1w, 16.12.1x, 16.12.1y, 16.12.1z, 16.12.1z1, 16.12.1z2, 16.12.2, 16.12.2a, 16.12.2s, 16.12.2t, 16.12.3, 16.12.3a, 16.12.3s, 16.12.4, 16.12.4a, 16.12.5, 16.12.5a, 16.12.5b, 16.12.6, 16.12.6a, 16.12.7, 16.12.8, 16.12.9, 16.3.10, 16.3.11, 16.3.5, 16.3.5a, 16.3.5b, 16.3.5c, 16.3.6, 16.3.7, 16.3.8, 16.3.9, 16.4.3, 16.5.1, 16.5.1a, 16.5.1b, 16.5.2, 16.5.3, 16.6.1, 16.6.10, 16.6.1a, 16.6.2, 16.6.2s, 16.6.3, 16.6.4, 16.6.4a, 16.6.4s, 16.6.5, 16.6.5a, 16.6.5b, 16.6.6, 16.6.7, 16.6.7a, 16.6.8, 16.6.9, 16.7.1, 16.7.1a, 16.7.1b, 16.7.2, 16.7.3, 16.7.4, 16.8.1, 16.8.1a, 16.8.1b, 16.8.1c, 16.8.1d, 16.8.1e, 16.8.1s, 16.8.2, 16.8.3, 16.9.1, 16.9.1a, 16.9.1b, 16.9.1c, 16.9.1d, 16.9.1s, 16.9.2, 16.9.2a, 16.9.2s, 16.9.3, 16.9.3a, 16.9.3h, 16.9.3s, 16.9.4, 16.9.4c, 16.9.5, 16.9.5f, 16.9.6, 16.9.7, 16.9.8, 16.9.8a, 16.9.8b, 17.05.01c, 17.1.1, 17.1.1a, 17.1.1s, 17.1.1t, 17.1.2, 17.1.3, 17.10.1, 17.10.1a, 17.10.1b, 17.11.1, 17.11.1a, 17.12.02a, 17.12.1, 17.12.1a, 17.12.1w, 17.12.1x, 17.12.2, 17.12.2a, 17.2.1, 17.2.1LA, 17.2.1a, 17.2.1r, 17.2.1v, 17.2.2, 17.2.3, 17.3.1, 17.3.1a, 17.3.1w, 17.3.1x, 17.3.1z, 17.3.2, 17.3.2a, 17.3.3, 17.3.3a, 17.3.4, 17.3.4a, 17.3.4b, 17.3.4c, 17.3.5, 17.3.5a, 17.3.5b, 17.3.6, 17.3.7, 17.3.8, 17.3.8a, 17.4.1, 17.4.1a, 17.4.1b, 17.4.1c, 17.4.2, 17.4.2a, 17.5.1, 17.5.1a, 17.5.1b, 17.5.1c, 17.6.1, 17.6.1a, 17.6.1w, 17.6.1x, 17.6.1y, 17.6.1z, 17.6.1z1, 17.6.2, 17.6.3, 17.6.3a, 17.6.4, 17.6.5, 17.6.5a, 17.6.6, 17.6.6a, 17.7.1, 17.7.1a, 17.7.1b, 17.7.2, 17.8.1, 17.8.1a, 17.9.1, 17.9.1a, 17.9.1w, 17.9.1x, 17.9.1x1, 17.9.1y, 17.9.1y1, 17.9.2, 17.9.2a, 17.9.3, 17.9.3a, 17.9.4, 17.9.4a, 17.9.5, Denali-16.3.5, Everest-16.5.1

Relevant Products

Click on a version to see all relevant bugs

Affected versions:No known affected versions

Fixed versions: 16.10.1, 16.10.1a, 16.10.1b, 16.10.1c, 16.10.1d, 16.10.1e, 16.10.1f, 16.10.1g, 16.10.1i, 16.10.1s, 16.10.2, 16.10.3, 16.11.1, 16.11.1a, 16.11.1b, 16.11.1c, 16.11.1s, 16.11.2, 16.12.1, 16.12.10, 16.12.10a, 16.12.1a, 16.12.1c, 16.12.1s, 16.12.1t, 16.12.1v, 16.12.1w, 16.12.1x, 16.12.1y, 16.12.1z, 16.12.1z1, 16.12.1z2, 16.12.2, 16.12.2a, 16.12.2s, 16.12.2t, 16.12.3, 16.12.3a, 16.12.3s, 16.12.4, 16.12.4a, 16.12.5, 16.12.5a, 16.12.5b, 16.12.6, 16.12.6a, 16.12.7, 16.12.8, 16.12.9, 16.3.10, 16.3.11, 16.3.5, 16.3.5a, 16.3.5b, 16.3.5c, 16.3.6, 16.3.7, 16.3.8, 16.3.9, 16.4.3, 16.5.1, 16.5.1a, 16.5.1b, 16.5.2, 16.5.3, 16.6.1, 16.6.10, 16.6.1a, 16.6.2, 16.6.2s, 16.6.3, 16.6.4, 16.6.4a, 16.6.4s, 16.6.5, 16.6.5a, 16.6.5b, 16.6.6, 16.6.7, 16.6.7a, 16.6.8, 16.6.9, 16.7.1, 16.7.1a, 16.7.1b, 16.7.2, 16.7.3, 16.7.4, 16.8.1, 16.8.1a, 16.8.1b, 16.8.1c, 16.8.1d, 16.8.1e, 16.8.1s, 16.8.2, 16.8.3, 16.9.1, 16.9.1a, 16.9.1b, 16.9.1c, 16.9.1d, 16.9.1s, 16.9.2, 16.9.2a, 16.9.2s, 16.9.3, 16.9.3a, 16.9.3h, 16.9.3s, 16.9.4, 16.9.4c, 16.9.5, 16.9.5f, 16.9.6, 16.9.7, 16.9.8, 16.9.8a, 16.9.8b, 17.05.01c, 17.1.1, 17.1.1a, 17.1.1s, 17.1.1t, 17.1.2, 17.1.3, 17.10.1, 17.10.1a, 17.10.1b, 17.11.1, 17.11.1a, 17.12.02a, 17.12.1, 17.12.1a, 17.12.1w, 17.12.1x, 17.12.2, 17.12.2a, 17.2.1, 17.2.1LA, 17.2.1a, 17.2.1r, 17.2.1v, 17.2.2, 17.2.3, 17.3.1, 17.3.1a, 17.3.1w, 17.3.1x, 17.3.1z, 17.3.2, 17.3.2a, 17.3.3, 17.3.3a, 17.3.4, 17.3.4a, 17.3.4b, 17.3.4c, 17.3.5, 17.3.5a, 17.3.5b, 17.3.6, 17.3.7, 17.3.8, 17.3.8a, 17.4.1, 17.4.1a, 17.4.1b, 17.4.1c, 17.4.2, 17.4.2a, 17.5.1, 17.5.1a, 17.5.1b, 17.5.1c, 17.6.1, 17.6.1a, 17.6.1w, 17.6.1x, 17.6.1y, 17.6.1z, 17.6.1z1, 17.6.2, 17.6.3, 17.6.3a, 17.6.4, 17.6.5, 17.6.5a, 17.6.6, 17.6.6a, 17.7.1, 17.7.1a, 17.7.1b, 17.7.2, 17.8.1, 17.8.1a, 17.9.1, 17.9.1a, 17.9.1w, 17.9.1x, 17.9.1x1, 17.9.1y, 17.9.1y1, 17.9.2, 17.9.2a, 17.9.3, 17.9.3a, 17.9.4, 17.9.4a, 17.9.5, Denali-16.3.5, Everest-16.5.1

Top Cisco Defects

9.7Defect ID: CSCwk61938
ISE Evaluate OpenSSH CVE-2024-6387 "regreSSHion"
9.7Defect ID: CSCwa70008
Expired certs cause Security Intelligence updates to fail
9.7Defect ID: CSCwc94466
Cisco ASA/FTD Firepower 2100 SSL/TLS Denial of Service Vulnerability
9.7Defect ID: CSCun66310
Nexus 5596: System fails to boot after a power cycle
9.7Defect ID: CSCvq12070
Not able to establish more than 2 simultaneous ASDM sessions

Ready to prevent the next vendor outage?

Links

Original Vendor Announcement

Cisco Integration

Learn more about where this data comes from

Cisco Integration

Bug Scrub Advisor

Streamline upgrades with automated vendor bug scrubs

Bug Scrub Advisor

BugZero Enterprise

Wish you caught this bug sooner? Get proactive today.

BugZero Enterprise