BugZero | Cisco BugID CSCwa76260 - IKEv2 Deprecated Ciphers denied by Crypto Engine C...

Cisco - Defect ID: CSCwa76260

IKEv2 Deprecated Ciphers denied by Crypto Engine CDSL - PSB Security Compliance - DES, 3DES, DH1/2/5

Cisco - Defect ID: CSCwa76260

IKEv2 Deprecated Ciphers denied by Crypto Engine CDSL - PSB Security Compliance - DES, 3DES, DH1/2/5

Last updated on June 30th, 2025

BugZero Risk Score
6.1 Medium

Overall: 6.1

Severity: 6.4

Lifecycle: 9.1

Popularity: 5.1

What is the BugZero Risk Score?

Cisco Integration

Learn more about where this data comes from

Cisco Integration

Learn more

Bug Scrub Advisor

Streamline upgrades with automated vendor bug scrubs

Bug Scrub Advisor

Learn more

BugZero Enterprise

Wish you caught this bug sooner? Get proactive today.

BugZero Enterprise

Learn more

Bug Details

Description

Symptom

The Crypto Engine denies the uses of IKEv2 deprecated ciphers, the following logs can be seen: %CRYPTO_ENGINE-3-CSDL_COMPLIANCE_FAIL: Cisco PSB security compliance violation is detected. Use of DH group 5 by Crypto IKEv2 is denied. The IKEv2 negotiation fails if the agreed cipher is denied by the Crypto Engine, causing the IPsec tunnel not to establish.

Conditions

Used of Deprecated Ciphers: Diffie-Hellman (DH) groups 1, 2 or 5. Encryption algorithm DES or 3DES. Integrity Algorithm: MD5 or SHA1. Kindly note that this defect only applies to IKEv2/

Workaround

Use a recommended cipher for next-generation cryptography: https://tools.cisco.com/security/center/resources/next_generation_cryptography

Further Problem Description

-Please note that Integrity Algorithm MD5 or SHA1 will work on versions which include fix for CSCwa80474 -When using deprecated ciphers for IPSec profile, the tunnel will fail during the rekey

Change history

2025-03-27 Added: 17.6.1, 17.6.2

Top Cisco Defects by Risk Score

9.65Defect ID: CSCwd45843
Auth Step latency for policy evaluation due to Garbage Collection activity.
9.65Defect ID: CSCwa92734
CUBE DTMF interworking fails from rtp-nte to OOB SIP methods
9.65Defect ID: CSCwj45822
Cisco ASA and FTD Software Remote Access VPN Brute Force Denial of Service Vulnerability
9.65Defect ID: CSCvo03458
PKI "revocation check crl none" does not fallback if CRL not reachable
9.65Defect ID: CSCvq05584
Cisco IOS and IOS XE Software Tcl Arbitrary Code Execution Vulnerability

Cisco Integration

Learn more about where this data comes from

Cisco Integration

Learn more

Bug Scrub Advisor

Streamline upgrades with automated vendor bug scrubs

Bug Scrub Advisor

Learn more

BugZero Enterprise

Wish you caught this bug sooner? Get proactive today.

BugZero Enterprise

Learn more

Ready to prevent the next vendor outage?

Get a demo

OPERATIONAL DEFECT DATABASE

Cisco - Defect ID: CSCwa76260

IKEv2 Deprecated Ciphers denied by Crypto Engine CDSL - PSB Security Compliance - DES, 3DES, DH1/2/5

Cisco - Defect ID: CSCwa76260

IKEv2 Deprecated Ciphers denied by Crypto Engine CDSL - PSB Security Compliance - DES, 3DES, DH1/2/5

Last updated on June 30th, 2025

BugZero Risk Score
6.1 Medium

Bug Details

Symptom

Conditions

Workaround

Further Problem Description

Links

Top Cisco Defects by Risk Score

Ready to prevent the next vendor outage?

OPERATIONAL DEFECT DATABASE

Cisco - Defect ID: CSCwa76260

IKEv2 Deprecated Ciphers denied by Crypto Engine CDSL - PSB Security Compliance - DES, 3DES, DH1/2/5

Cisco - Defect ID: CSCwa76260

IKEv2 Deprecated Ciphers denied by Crypto Engine CDSL - PSB Security Compliance - DES, 3DES, DH1/2/5

Last updated on June 30th, 2025

BugZero Risk Score6.1 Medium

Bug Details

Symptom

Conditions

Workaround

Further Problem Description

Links

Top Cisco Defects by Risk Score

Ready to prevent the next vendor outage?

BugZero Risk Score
6.1 Medium