Symptom
IKEv2 Tunnels Flap / IPSec SA connections are broken
Conditions
-DUT configured only with time based key
-All tunnels are up and end to end solution works fine
-Add volume based key and start spoke to spoke traffic
-clear crypto ikev2 sa
-here after cryto tunnels are flapping
Workaround
Restart the affected device
Further Problem Description
When this issue occurs and the SA rekey loop started packets continue to be transmitted ESP protected. They may not be decrypteable on the receiving device due to SA timeout.
PSIRT Evaluation:
The Cisco PSIRT has evaluated this issue and does not meet the criteria for PSIRT ownership or involvement. This issue will be addressed via normal resolution channels.
If you believe that there is new information that would cause a change in the severity of this issue, please contact psirt@cisco.com for another evaluation.
Additional information on Cisco's security vulnerability policy can be found at the following URL:
http://www.cisco.com/en/US/products/products_security_vulnerability_policy.html
