BugZero | Cisco BugID CSCvy73554 - ASA: "deny ip any any" entry in crypto ACL prevent...

Cisco - Defect ID: CSCvy73554

ASA: "deny ip any any" entry in crypto ACL prevents IKEv2 remote AnyConnect access connections

Cisco - Defect ID: CSCvy73554

ASA: "deny ip any any" entry in crypto ACL prevents IKEv2 remote AnyConnect access connections

Last updated on 9/24/2024

Overall: 6.16.1

Severity: 6.46.4

Lifecycle: 9.19.1

Popularity: 4.64.6

What is the BugZero Risk Score?

Vendor details

No defect details.

Overall: 6.16.1

Severity: 6.46.4

Lifecycle: 9.19.1

Popularity: 4.64.6

What is the BugZero Risk Score?

Vendor details

No defect details.

General

NONE

Symptom

Remote AnyConnect access IKEv2 session fails to come up with followign IKEv2 debugs: CONNECTION STATUS: REGISTERED... peer: 10.227.64.226:58853, phase1_id: *$AnyConnectClient$* IKEv2-PROTO-4: (14): Initializing DPD, configured for 10 seconds IKEv2-PLAT-4: mib_index set to: 4501 IKEv2-PROTO-7: (14): SM Trace-> SA: I_SPI=994D0872C5D2008E R_SPI=ED72833006AD1AEB (R) MsgID = 00000005 CurState: AUTH_DONE Event: EV_GEN_LOAD_IPSEC IKEv2-PROTO-4: (14): Load IPSEC key material IKEv2-PLAT-4: checking access status for src = 0.0.0.0 dst 10.7.7.1 s_port = 0 d_port = 0, proto = 0 IKEv2-PLAT-4: Crypto Map: no match on map map seq 1 IKEv2-PLAT-4: Crypto Map: match on dynamic map out-dyn-map seq 10 IKEv2-PLAT-4: (14): PFS disabled for RA connection IKEv2-PLAT-2: (14): Unable to obtain ACL Name for Outbound PFKEY MSG IKEv2-PROTO-2: (14): Failed to allocate memory

Conditions

IKEv2 static site-to-site tunnel terminated on ASA interface. IKEv2 AnyConnect remote access VPN terminated on the same interface. Crypto ACL used for static site-to-site has "deny ip any any" statement

Workaround

Remove "deny ip any any" statement from static crypto map ACL.

Further Problem Description

Crypto ACL used for static site-to-site has "deny ip any any" statement: access-list tunnel extended permit ip 10.10.10.0 255.255.255.0 192.168.1.0 255.255.255.0 access-list tunnel extended deny ip any any crypto dynamic-map out-dyn-map 10 set ikev2 ipsec-proposal AES256-SHA crypto map map 1 match address tunnel crypto map map 1 set peer 10.48.30.21 crypto map map 1 set ikev2 ipsec-proposal AES256-SHA crypto map map 65000 ipsec-isakmp dynamic out-dyn-map crypto map map interface outside

Original Vendor Announcement

9.65Defect ID: CSCwd45843
Auth Step latency for policy evaluation due to Garbage Collection activity.
9.65Defect ID: CSCwa92734
CUBE DTMF interworking fails from rtp-nte to OOB SIP methods
9.65Defect ID: CSCwj45822
Cisco ASA and FTD Software Remote Access VPN Brute Force Denial of Service Vulnerability
9.65Defect ID: CSCvo03458
PKI "revocation check crl none" does not fallback if CRL not reachable
9.65Defect ID: CSCvq05584
Cisco IOS and IOS XE Software Tcl Arbitrary Code Execution Vulnerability

Ready to prevent the next vendor outage?

Get a demo

OPERATIONAL DEFECT DATABASE

Cisco - Defect ID: CSCvy73554

ASA: "deny ip any any" entry in crypto ACL prevents IKEv2 remote AnyConnect access connections

Cisco - Defect ID: CSCvy73554

ASA: "deny ip any any" entry in crypto ACL prevents IKEv2 remote AnyConnect access connections

Last updated on 9/24/2024

Vendor details

Vendor details

Description

General

Symptom

Conditions

Workaround

Further Problem Description

Links

Top Cisco defects by risk score

Ready to prevent the next vendor outage?