BugZero | Cisco BugID CSCvx91535 - vedge allows configuring a non existing interface ...

Cisco - Defect ID: CSCvx91535

vedge allows configuring a non existing interface under tunnel-source-interface command.

Cisco - Defect ID: CSCvx91535

vedge allows configuring a non existing interface under tunnel-source-interface command.

Last updated on 3/2/2022

Overall: 3.43.4

Severity: 3.73.7

Lifecycle: 7.87.8

Popularity: 4.64.6

What is the BugZero Risk Score?

Vendor details

No defect details.

Overall: 3.43.4

Severity: 3.73.7

Lifecycle: 7.87.8

Popularity: 4.64.6

What is the BugZero Risk Score?

Vendor details

No defect details.

Symptom

Under IPSEC tunnel configuration, the vedge allows configuring a non-existing interface under the tunnel-source-interface command through CLI management.

Conditions

! interface ipsec111 tunnel-source-interface ge--0/1 <-- it is using an aditional "-". tunnel-destination 1.1.1.1 ike version 1 mode main rekey 14400 cipher-suite aes256-cbc-sha1 group 16 ! ipsec rekey 3600 replay-window 512 cipher-suite aes256-gcm perfect-forward-secrecy group-16 ! shutdown ! ! vedge# show interface | tab IF IF IF TCP AF ADMIN OPER TRACKER ENCAP SPEED MSS RX TX VPN INTERFACE TYPE IP ADDRESS STATUS STATUS STATUS TYPE PORT TYPE MTU HWADDR MBPS DUPLEX ADJUST UPTIME PACKETS PACKETS ---------------------------------------------------------------------------------------------------------------------------------------------------------------------- 0 ge0/0 ipv4 192.168.32.129/22 Up Up NA null transport 1500 00:50:56:84:33:da 1000 full 1416 76:22:32:19 887931830 78386078 0 ge0/1 ipv4 192.168.42.82/22 Up Up NA null transport 1500 00:50:56:84:19:42 1000 full 1416 76:22:32:19 237945290 79952548 0 ge0/2 ipv4 192.168.54.177/22 Up Up NA null transport 1500 00:50:56:84:0a:d9 1000 full 1416 76:22:32:19 379763660 28430422 0 ge0/3 ipv4 - Down Down NA null service 1500 00:50:56:84:1d:b3 - - 1416 - 0 0 0 system ipv4 4.4.4.2/32 Up Up NA null loopback 1500 00:00:00:00:00:00 1000 full 1416 76:22:32:33 0 0 0 ipsec111 ipv4 - Down Down NA vlan service 1500 00:00:00:00:00:01 - - 1416 - 0 0 512 eth0 ipv4 - Down Down NA null service 1500 00:50:56:84:9f:b3 - - 1416 - 0 0

Workaround

Make sure the interface configured is an existing one.

Further Problem Description

If for any reason a non-existing interface is configured, we could ignore that part, thinking configuration is ok and proceeds to troubleshoot an issue where doesn't exist. Symptoms: If the IPsec tunnel doesn't come up, the peer is trying to initiate the negotiation, and IKE packets are getting received on the "expected interface" neither no IKE debugs see on "messages" nor drops on IPsec. It could be hitting this issue.

Original Vendor Announcement

9.65Defect ID: CSCwd45843
Auth Step latency for policy evaluation due to Garbage Collection activity.
9.65Defect ID: CSCwa92734
CUBE DTMF interworking fails from rtp-nte to OOB SIP methods
9.65Defect ID: CSCwj45822
Cisco ASA and FTD Software Remote Access VPN Brute Force Denial of Service Vulnerability
9.65Defect ID: CSCvo03458
PKI "revocation check crl none" does not fallback if CRL not reachable
9.65Defect ID: CSCvq05584
Cisco IOS and IOS XE Software Tcl Arbitrary Code Execution Vulnerability

Ready to prevent the next vendor outage?

Get a demo

OPERATIONAL DEFECT DATABASE

Cisco - Defect ID: CSCvx91535

vedge allows configuring a non existing interface under tunnel-source-interface command.

Cisco - Defect ID: CSCvx91535

vedge allows configuring a non existing interface under tunnel-source-interface command.

Last updated on 3/2/2022

Vendor details

Vendor details

Description

Symptom

Conditions

Workaround

Further Problem Description

Links

Top Cisco defects by risk score

Ready to prevent the next vendor outage?