BugZero | Cisco BugID CSCvp76321 - IKEv2: DH key computation fails, post recovery of ...

Cisco - Defect ID: CSCvp76321

IKEv2: DH key computation fails, post recovery of ESP from crash due to CSCvp75121

Cisco - Defect ID: CSCvp76321

IKEv2: DH key computation fails, post recovery of ESP from crash due to CSCvp75121

Last updated on November 11th, 2019

BugZero Risk Score
7.4 High

Overall: 7.4

Severity: 8.2

Lifecycle: 4.0

Popularity: 4.6

What is the BugZero Risk Score?

Cisco Integration

Learn more about where this data comes from

Cisco Integration

Learn more

Bug Scrub Advisor

Streamline upgrades with automated vendor bug scrubs

Bug Scrub Advisor

Learn more

BugZero Enterprise

Wish you caught this bug sooner? Get proactive today.

BugZero Enterprise

Learn more

Bug Details

Description

Symptom

DH Key computation fails during the processing of IKE_SA_INIT by a DMVPN hub The output of "sh crypto ikev2 diagnose error count " shows an increase in DH public key computation failed #sh crypto ikev2 diagnose error count IKEv2 error counters: A supplied parameter is incorrect : 101 Failed to find a matching policy : 3 Failed to locate an item in the database : 3 Failed to validate the certificate : 7 Detected an invalid IKE SPI : 76 Packet is a retransmission : 3189 Negotiation context locked currently in use : 17169 Error encountered while navigating State Machine : 403 Could not find neg context : 20 Failed to receive the AUTH msg before the timer expired : 21 Maximum number of retransmissions reached : 4750 Initial exchange failed : 91838 Auth exchange failed : 28 Negotiating limit reached, deny SA request : 5 DH public key computation failed : 91836 <====== Keeps on increasing, the debugs show as well that DH computations is failing. Creation/Installation of IPsec SA into IPsec DB failed : 3

Conditions

May occur post the hub router faces mcplo-ucode crash after the ESP recovers from a crash.

Workaround

Reload the router

Further Problem Description

The DH failures may also occur without an associated crash. SSH and RSA operations may fail for the same reason.

Change history

2025-03-27 Added: 16.9.3

Top Cisco Defects by Risk Score

9.65Defect ID: CSCwd45843
Auth Step latency for policy evaluation due to Garbage Collection activity.
9.65Defect ID: CSCwa92734
CUBE DTMF interworking fails from rtp-nte to OOB SIP methods
9.65Defect ID: CSCwj45822
Cisco ASA and FTD Software Remote Access VPN Brute Force Denial of Service Vulnerability
9.65Defect ID: CSCvo03458
PKI "revocation check crl none" does not fallback if CRL not reachable
9.65Defect ID: CSCvq05584
Cisco IOS and IOS XE Software Tcl Arbitrary Code Execution Vulnerability

Cisco Integration

Learn more about where this data comes from

Cisco Integration

Learn more

Bug Scrub Advisor

Streamline upgrades with automated vendor bug scrubs

Bug Scrub Advisor

Learn more

BugZero Enterprise

Wish you caught this bug sooner? Get proactive today.

BugZero Enterprise

Learn more

Ready to prevent the next vendor outage?

Get a demo

OPERATIONAL DEFECT DATABASE

Cisco - Defect ID: CSCvp76321

IKEv2: DH key computation fails, post recovery of ESP from crash due to CSCvp75121

Cisco - Defect ID: CSCvp76321

IKEv2: DH key computation fails, post recovery of ESP from crash due to CSCvp75121

Last updated on November 11th, 2019

BugZero Risk Score
7.4 High

Bug Details

Symptom

Conditions

Workaround

Further Problem Description

Links

Top Cisco Defects by Risk Score

Ready to prevent the next vendor outage?

OPERATIONAL DEFECT DATABASE

Cisco - Defect ID: CSCvp76321

IKEv2: DH key computation fails, post recovery of ESP from crash due to CSCvp75121

Cisco - Defect ID: CSCvp76321

IKEv2: DH key computation fails, post recovery of ESP from crash due to CSCvp75121

Last updated on November 11th, 2019

BugZero Risk Score7.4 High

Bug Details

Symptom

Conditions

Workaround

Further Problem Description

Links

Top Cisco Defects by Risk Score

Ready to prevent the next vendor outage?

BugZero Risk Score
7.4 High