BugZero | Cisco BugID CSCwc54984 - IKEv2 rekey - Responding Invalid SPI for the new S...

Cisco - Defect ID: CSCwc54984

IKEv2 rekey - Responding Invalid SPI for the new SPI received right after Create_Child_SA response

Cisco - Defect ID: CSCwc54984

IKEv2 rekey - Responding Invalid SPI for the new SPI received right after Create_Child_SA response

Last updated on July 9th, 2025

BugZero Risk Score
7.8 High

Overall: 7.8

Severity: 8.2

Lifecycle: 9.1

Popularity: 5.1

What is the BugZero Risk Score?

Cisco Integration

Learn more about where this data comes from

Cisco Integration

Learn more

Bug Scrub Advisor

Streamline upgrades with automated vendor bug scrubs

Bug Scrub Advisor

Learn more

BugZero Enterprise

Wish you caught this bug sooner? Get proactive today.

BugZero Enterprise

Learn more

Bug Details

Description

Symptom

The IPSEC VPN tunnel flaps intermittently during a rekey request from Cisco ASA. The VPN recovers in a couple of minutes on its own, however, there is an outage for a couple of minutes when the tunnel is down.

Conditions

When there is an IPSEC tunnel formed between Cisco ASA and PAN firewall

Workaround

Increase IPSEC SA lifetime on ASA, so that the peer has lower time and ASA is rekey responder, not the initiator.

Further Problem Description

In IKEv2 debugs, we see that during rekey initiated by ASA, the first new inbound SPI is created, and then ASA sends information that the same SPI is invalid. This is not expected. Jul 25 22:35:53 IKEv2-PLAT-5: RECV PKT [CREATE_CHILD_SA] [x.x.x.x]:500->[y.y.y.y]:500 InitSPI=0x48a0d49e589d838c RespSPI=0x9a973412d4dfc9df MID=00000008 Jul 25 22:35:53 IKEv2-PLAT-4: Received PFKEY Invalid SPI for SPI 0x8D5E4089, error FALSE (229): Jul 25 22:35:53 IKEv2-PROTO-4: (229): Received Packet [From x.x.x.x:500/To y.y.y.y:500/VRF i0:f0] (229): Initiator SPI : 48A0D49E589D838C - Responder SPI : 9A973412D4DFC9DF Message id: 8 (229): IKEv2 CREATE_CHILD_SA Exchange RESPONSEJul 25 22:35:53 IKEv2-PROTO-5: (229): Next payload: ENCR, version: 2.0 (229): Exchange type: CREATE_CHILD_SA, flags: RESPONDER MSG-RESPONSE (229): Message id: 8, length: 224(229): Payload contents: Jul 25 22:35:53 IKEv2-PROTO-4: decrypt queued(229): (229): Decrypted packet:(229): Data: 224 bytes Jul 25 22:35:53 IKEv2-PROTO-7: Process delete IPSec API Jul 25 22:35:53 IKEv2-PROTO-7: (229): SM Trace-> SA: I_SPI=48A0D49E589D838C R_SPI=9A973412D4DFC9DF (I) MsgID = 00000001 CurState: READY Event: EV_SEND_INVALID_SPI Jul 25 22:35:53 IKEv2-PROTO-7: (229): Action: Action_Null Jul 25 22:35:53 IKEv2-PROTO-7: (229): SM Trace-> SA: I_SPI=48A0D49E589D838C R_SPI=9A973412D4DFC9DF (I) MsgID = 00000001 CurState: INFO_I_BLD_INFO Event: EV_SEND_INVALID_SPI Jul 25 22:35:53 IKEv2-PROTO-4: (229): Sending INVALID_SPI notify Jul 25 22:35:53 IKEv2-PROTO-7: Construct Notify Payload: INVALID_SPIJul 25 22:35:53 IKEv2-PROTO-4: (229): Building packet for encryption. (229): Payload contents: (229): NOTIFY(INVALID_SPI)(229): Next payload: NONE, reserved: 0x0, length: 12 (229): Security protocol id: ESP, spi size: 0, type: INVALID_SPI (229): (229): 89 40 5e 8d <---------------- new valid SPI

Change history

2025-03-27 Added: 9.12.4.26, 9.12.4.29, 9.12.4.30, 9.12.4.35, 9.12.4.37, 9.12.4.38, 9.12.4.39, 9.12.4.40, 9.12.4.41, 9.12.4.47, 9.12.4.48, 9.12.4.50, 9.14.3, 9.14.3.1, 9.14.3.11, 9.14.3.13, 9.14.3.15, 9.14.3.18, 9.14.3.9, 9.14.4, 9.14.4.12, 9.14.4.13, 9.14.4.14, 9.14.4.6, 9.14.4.7, 9.16.1.28, 9.16.2, 9.16.2.11, 9.16.2.13, 9.16.2.14, 9.16.2.3, 9.16.2.7, 9.16.3, 9.16.3.14, 9.16.3.15, 9.16.3.19, 9.16.3.3, 9.17.1, 9.17.1.10, 9.17.1.11, 9.17.1.13, 9.17.1.15, 9.17.1.20, 9.17.1.30, 9.17.1.33, 9.17.1.39, 9.17.1.45, 9.17.1.46, 9.17.1.7, 9.17.1.9, 9.18.1, 9.18.1.3, 9.18.2

Links

Original Vendor Announcement

Relevant Products

Click on a version to see all relevant bugs

Affected versions:9.12.4.26, 9.12.4.29, 9.12.4.30, 9.12.4.35, 9.12.4.37, 9.12.4.38, 9.12.4.39, 9.12.4.40, 9.12.4.41, 9.12.4.47, 9.12.4.48, 9.12.4.50, 9.14.3, 9.14.3.1, 9.14.3.11, 9.14.3.13, 9.14.3.15, 9.14.3.18, 9.14.3.9, 9.14.4, 9.14.4.12, 9.14.4.13, 9.14.4.14, 9.14.4.6, 9.14.4.7, 9.16.1.28, 9.16.2, 9.16.2.11, 9.16.2.13, 9.16.2.14, 9.16.2.3, 9.16.2.7, 9.16.3, 9.16.3.14, 9.16.3.15, 9.16.3.19, 9.16.3.3, 9.17.1, 9.17.1.10, 9.17.1.11, 9.17.1.13, 9.17.1.15, 9.17.1.20, 9.17.1.30, 9.17.1.33, 9.17.1.39, 9.17.1.45, 9.17.1.46, 9.17.1.7, 9.17.1.9, 9.18.1, 9.18.1.3, 9.18.2

Fixed versions: No known fixed versions

Relevant Products

Click on a version to see all relevant bugs

Fixed versions: No known fixed versions

Top Cisco Defects by Risk Score

9.65Defect ID: CSCwd45843
Auth Step latency for policy evaluation due to Garbage Collection activity.
9.65Defect ID: CSCwa92734
CUBE DTMF interworking fails from rtp-nte to OOB SIP methods
9.65Defect ID: CSCwj45822
Cisco ASA and FTD Software Remote Access VPN Brute Force Denial of Service Vulnerability
9.65Defect ID: CSCvo03458
PKI "revocation check crl none" does not fallback if CRL not reachable
9.65Defect ID: CSCvq05584
Cisco IOS and IOS XE Software Tcl Arbitrary Code Execution Vulnerability

Cisco Integration

Learn more about where this data comes from

Cisco Integration

Learn more

Bug Scrub Advisor

Streamline upgrades with automated vendor bug scrubs

Bug Scrub Advisor

Learn more

BugZero Enterprise

Wish you caught this bug sooner? Get proactive today.

BugZero Enterprise

Learn more

Ready to prevent the next vendor outage?

Get a demo

OPERATIONAL DEFECT DATABASE

Cisco - Defect ID: CSCwc54984

IKEv2 rekey - Responding Invalid SPI for the new SPI received right after Create_Child_SA response

Cisco - Defect ID: CSCwc54984

IKEv2 rekey - Responding Invalid SPI for the new SPI received right after Create_Child_SA response

Last updated on July 9th, 2025

BugZero Risk Score7.8 High

Bug Details

Symptom

Conditions

Workaround

Further Problem Description

Links

Top Cisco Defects by Risk Score

Ready to prevent the next vendor outage?

BugZero Risk Score
7.8 High