OPERATIONAL DEFECT DATABASE
...
...
IOSXE routers with "responder-only" configuration can potentially run into this issue and start dropping traffic. This happens when the router reaches soft limit of volume lifetime, and before the initiator can start rekey, the IPSec tunnel will be dropped.
This symptom is observed with IOS-XE running IKEv1/IPSec tunnel and responder-only (under ipsec-profile) is enabled.
If using "responder-only" configuration then to avoid hitting this issue either: a. Disable volume base rekey no crypto ipsec security-association lifetime kilobytes or b. Remove "responder-only" configuration from the IPSec profile
problem occurs only if customer has "responder-only" config and volume based rekey. In all other scenarios deletion of SAs within 30 seconds is expected as new SAs would have formed by then via rekey.
Click on a version to see all relevant bugs
Cisco Integration
Learn more about where this data comes from
Bug Scrub Advisor
Streamline upgrades with automated vendor bug scrubs
BugZero Enterprise
Wish you caught this bug sooner? Get proactive today.
