BugZero | Cisco BugID CSCvs70260 - IKEv2 vpn-filter drops traffic with implicit deny ...

Cisco - Defect ID: CSCvs70260

IKEv2 vpn-filter drops traffic with implicit deny after volume based rekey collision

Cisco - Defect ID: CSCvs70260

IKEv2 vpn-filter drops traffic with implicit deny after volume based rekey collision

Last updated on 2/26/2025

Overall: 6.16.1

Severity: 6.46.4

Lifecycle: 9.19.1

Popularity: 5.15.1

What is the BugZero Risk Score?

Vendor details

No defect details.

Overall: 6.16.1

Severity: 6.46.4

Lifecycle: 9.19.1

Popularity: 5.15.1

What is the BugZero Risk Score?

Vendor details

No defect details.

Symptom

Traffic stops flowing over VPN after some time. "show crypto ipsec sa" shows IPSEC SA is established. "show vpn-sessiondb detail l2l" shows VPN is established and vpn-filter is applied. "show asp drop" shows "Flow is denied by configured rule (acl-drop)" increasing. Packet-tracer / capture with trace shows: Phase: 6 Type: ACCESS-LIST Subtype: filter-aaa Result: DROP Config: Additional Information: Forward Flow based lookup yields rule: out id=0x7fd1dd44e830, priority=12, domain=filter-aaa, deny=true hits=42832, user_data=0x7fd1d62bf280, filter_id=0x0(-implicit deny-), protocol=0 src ip=0.0.0.0, mask=0.0.0.0, port=0 dst ip=0.0.0.0, mask=0.0.0.0, port=0 "show asp table filter" shows only implict-deny rules, while there should be rules from the vpn-filter ACL: Global Filter Table: in id=0x7f6dc1e351d0, priority=12, domain=filter-aaa, deny=true hits=1221, user_data=0x7f6dba59c6c0, filter_id=0x0(-implicit deny-), protocol=0 src ip=0.0.0.0, mask=0.0.0.0, port=0 dst ip=0.0.0.0, mask=0.0.0.0, port=0 in id=0x7f6dc1e35910, priority=12, domain=filter-aaa, deny=true hits=0, user_data=0x7f6dba59c540, filter_id=0x0(-implicit deny-), protocol=0 src ip=::/0, port=0 dst ip=::/0, port=0 out id=0x7f6dc1e35570, priority=12, domain=filter-aaa, deny=true hits=0, user_data=0x7f6dba59c600, filter_id=0x0(-implicit deny-), protocol=0 src ip=0.0.0.0, mask=0.0.0.0, port=0 dst ip=0.0.0.0, mask=0.0.0.0, port=0 out id=0x7f6dc1e35ce0, priority=12, domain=filter-aaa, deny=true hits=0, user_data=0x7f6dba59c480, filter_id=0x0(-implicit deny-), protocol=0 src ip=::/0, port=0 dst ip=::/0, port=0 Last clearing of hits counters: Never

Conditions

IKEv2 L2L VPN filter applied in group-policy. Symmetric traffic (similar number of data in and out). Volume based rekey enabled - default.

Workaround

Disable volume based rekey.

Further Problem Description

The problem looks to happen when there is simultaneous volume based rekey initiated by both VPN peers. Example logs showing two pairs of new IPSEC SAs is generated: Jan 16 2020 12:03:12: %ASA-7-702307: IPSEC: An outbound L2L SA (SPI= 0xAF081781) between 192.0.2.1 and 192.0.2.2 (user= 192.0.2.2) is rekeying due to data rollover. Jan 16 2020 12:03:12: %ASA-5-750001: Local:192.0.2.1:500 Remote:192.0.2.2:500 Username:192.0.2.2 IKEv2 Received request to rekey an IPsec tunnel; local traffic selector = Address Range: 198.51.100.0-198.51.100.254 Protocol: 0 Port Range: 0-65535 ; remote traffic selector = Address Range: 203.0.113.0-203.0.113.254 Protocol: 0 Port Range: 0-65535 Jan 16 2020 12:03:12: %ASA-7-713906: IKE Receiver: Packet received on 192.0.2.1:500 from 192.0.2.2:500 Jan 16 2020 12:03:12: %ASA-6-602303: IPSEC: An outbound LAN-to-LAN SA (SPI= 0x8CD00948) between 192.0.2.1 and 192.0.2.2 (user= 192.0.2.2) has been created. Jan 16 2020 12:03:12: %ASA-6-602303: IPSEC: An inbound LAN-to-LAN SA (SPI= 0xC4A72815) between 192.0.2.1 and 192.0.2.2 (user= 192.0.2.2) has been created. Jan 16 2020 12:03:12: %ASA-7-713906: IKE Receiver: Packet received on 192.0.2.1:500 from 192.0.2.2:500 Jan 16 2020 12:03:12: %ASA-6-602303: IPSEC: An outbound LAN-to-LAN SA (SPI= 0xDFE11E0E) between 192.0.2.1 and 192.0.2.2 (user= 192.0.2.2) has been created. Jan 16 2020 12:03:12: %ASA-6-602303: IPSEC: An inbound LAN-to-LAN SA (SPI= 0xF4AEC5DB) between 192.0.2.1 and 192.0.2.2 (user= 192.0.2.2) has been created. Jan 16 2020 12:03:12: %ASA-7-713906: IKE Receiver: Packet received on 192.0.2.1:500 from 192.0.2.2:500 Jan 16 2020 12:03:12: %ASA-6-602304: IPSEC: An outbound LAN-to-LAN SA (SPI= 0x8CD00948) between 192.0.2.1 and 192.0.2.2 (user= 192.0.2.2) has been deleted. Jan 16 2020 12:03:12: %ASA-6-602304: IPSEC: An inbound LAN-to-LAN SA (SPI= 0xC4A72815) between 192.0.2.2 and 192.0.2.1 (user= 192.0.2.2) has been deleted. Jan 16 2020 12:03:12: %ASA-7-713906: IKE Receiver: Packet received on 192.0.2.1:500 from 192.0.2.2:500 Jan 16 2020 12:03:12: %ASA-6-602304: IPSEC: An outbound LAN-to-LAN SA (SPI= 0xAF081781) between 192.0.2.1 and 192.0.2.2 (user= 192.0.2.2) has been deleted. Jan 16 2020 12:03:12: %ASA-6-602304: IPSEC: An inbound LAN-to-LAN SA (SPI= 0x9DBDD93D) between 192.0.2.2 and 192.0.2.1 (user= 192.0.2.2) has been deleted.

Original Vendor Announcement

9.65Defect ID: CSCwd45843
Auth Step latency for policy evaluation due to Garbage Collection activity.
9.65Defect ID: CSCwa92734
CUBE DTMF interworking fails from rtp-nte to OOB SIP methods
9.65Defect ID: CSCwj45822
Cisco ASA and FTD Software Remote Access VPN Brute Force Denial of Service Vulnerability
9.65Defect ID: CSCvo03458
PKI "revocation check crl none" does not fallback if CRL not reachable
9.65Defect ID: CSCvq05584
Cisco IOS and IOS XE Software Tcl Arbitrary Code Execution Vulnerability

Ready to prevent the next vendor outage?

Get a demo

OPERATIONAL DEFECT DATABASE

Cisco - Defect ID: CSCvs70260

IKEv2 vpn-filter drops traffic with implicit deny after volume based rekey collision

Cisco - Defect ID: CSCvs70260

IKEv2 vpn-filter drops traffic with implicit deny after volume based rekey collision

Last updated on 2/26/2025

Vendor details

Vendor details

Description

Symptom

Conditions

Workaround

Further Problem Description

Links

Top Cisco defects by risk score

Ready to prevent the next vendor outage?