BugZero | Cisco BugID CSCwc54984 - IKEv2 rekey - Responding Invalid SPI for the new S...

Loading...

Operational Defect Database

A free repository of operational (non-security) bugs centralized through custom integrations with leading IT vendors.

Product

Enterprise platform
Bug Scrub Advisor
Operational Risk Scoring
Vendor Integrations

Company

Plans
Value Guide
About
Contact us
Legal

Resources

Blog
ServiceNow App
Trust Center
Risk Management
NIST
DORA

Operational Defect Database

A free repository of operational (non-security) bugs centralized through custom integrations with leading IT vendors.

Product

Enterprise platform
Bug Scrub Advisor
Operational Risk Scoring
Vendor Integrations

Company

Plans
Value Guide
About
Contact us
Legal

Resources

Blog
ServiceNow App
Trust Center
Risk Management
NIST
DORA

©2025 BugZero. All Rights Reserved.

Privacy Policy Terms of Service

BugZero | Cisco BugID CSCwc54984 - IKEv2 rekey - Responding Invalid SPI for the new S...

ODD
Cisco
CSCwc54984

Cisco - Defect ID: CSCwc54984

IKEv2 rekey - Responding Invalid SPI for the new SPI received right after Create_Child_SA response

ODD
Cisco
CSCwc54984

Cisco - Defect ID: CSCwc54984

IKEv2 rekey - Responding Invalid SPI for the new SPI received right after Create_Child_SA response

Last updated on October 15th, 2025

BugZero Risk Score
7.8 High

Overall: 7.8

Severity: 8.2

Lifecycle: 9.1

Popularity: 5.1

What is the BugZero Risk Score?

Cisco Integration

Learn more about where this data comes from

Cisco Integration

Bug Scrub Advisor

Streamline upgrades with automated vendor bug scrubs

Bug Scrub Advisor

BugZero Enterprise

Wish you caught this bug sooner? Get proactive today.

BugZero Enterprise

Bug Details

Views: 20

Description

Symptom

The IPSEC VPN tunnel flaps intermittently during a rekey request from Cisco ASA. The VPN recovers in a couple of minutes on its own, however, there is an outage for a couple of minutes when the tunnel is down.

Conditions

When there is an IPSEC tunnel formed between Cisco ASA and PAN firewall

Workaround

Increase IPSEC SA lifetime on ASA, so that the peer has lower time and ASA is rekey responder, not the initiator.

Further Problem Description

In IKEv2 debugs, we see that during rekey initiated by ASA, the first new inbound SPI is created, and then ASA sends information that the same SPI is invalid. This is not expected. Jul 25 22:35:53 IKEv2-PLAT-5: RECV PKT [CREATE_CHILD_SA] [x.x.x.x]:500->[y.y.y.y]:500 InitSPI=0x48a0d49e589d838c RespSPI=0x9a973412d4dfc9df MID=00000008 Jul 25 22:35:53 IKEv2-PLAT-4: Received PFKEY Invalid SPI for SPI 0x8D5E4089, error FALSE (229): Jul 25 22:35:53 IKEv2-PROTO-4: (229): Received Packet [From x.x.x.x:500/To y.y.y.y:500/VRF i0:f0] (229): Initiator SPI : 48A0D49E589D838C - Responder SPI : 9A973412D4DFC9DF Message id: 8 (229): IKEv2 CREATE_CHILD_SA Exchange RESPONSEJul 25 22:35:53 IKEv2-PROTO-5: (229): Next payload: ENCR, version: 2.0 (229): Exchange type: CREATE_CHILD_SA, flags: RESPONDER MSG-RESPONSE (229): Message id: 8, length: 224(229): Payload contents: Jul 25 22:35:53 IKEv2-PROTO-4: decrypt queued(229): (229): Decrypted packet:(229): Data: 224 bytes Jul 25 22:35:53 IKEv2-PROTO-7: Process delete IPSec API Jul 25 22:35:53 IKEv2-PROTO-7: (229): SM Trace-> SA: I_SPI=48A0D49E589D838C R_SPI=9A973412D4DFC9DF (I) MsgID = 00000001 CurState: READY Event: EV_SEND_INVALID_SPI Jul 25 22:35:53 IKEv2-PROTO-7: (229): Action: Action_Null Jul 25 22:35:53 IKEv2-PROTO-7: (229): SM Trace-> SA: I_SPI=48A0D49E589D838C R_SPI=9A973412D4DFC9DF (I) MsgID = 00000001 CurState: INFO_I_BLD_INFO Event: EV_SEND_INVALID_SPI Jul 25 22:35:53 IKEv2-PROTO-4: (229): Sending INVALID_SPI notify Jul 25 22:35:53 IKEv2-PROTO-7: Construct Notify Payload: INVALID_SPIJul 25 22:35:53 IKEv2-PROTO-4: (229): Building packet for encryption. (229): Payload contents: (229): NOTIFY(INVALID_SPI)(229): Next payload: NONE, reserved: 0x0, length: 12 (229): Security protocol id: ESP, spi size: 0, type: INVALID_SPI (229): (229): 89 40 5e 8d <---------------- new valid SPI

Relevant Products

Click on a version to see all relevant bugs

Affected versions:9.12.4.26, 9.12.4.29, 9.12.4.30, 9.12.4.35, 9.12.4.37, 9.12.4.38, 9.12.4.39, 9.12.4.40, 9.12.4.41, 9.12.4.47, 9.12.4.48, 9.12.4.50, 9.14.3, 9.14.3.1, 9.14.3.11, 9.14.3.13, 9.14.3.15, 9.14.3.18, 9.14.3.9, 9.14.4, 9.14.4.12, 9.14.4.13, 9.14.4.14, 9.14.4.6, 9.14.4.7, 9.16.1.28, 9.16.2, 9.16.2.11, 9.16.2.13, 9.16.2.14, 9.16.2.3, 9.16.2.7, 9.16.3, 9.16.3.14, 9.16.3.15, 9.16.3.19, 9.16.3.3, 9.17.1, 9.17.1.10, 9.17.1.11, 9.17.1.13, 9.17.1.15, 9.17.1.20, 9.17.1.30, 9.17.1.33, 9.17.1.39, 9.17.1.45, 9.17.1.46, 9.17.1.7, 9.17.1.9, 9.18.1, 9.18.1.3, 9.18.2

Fixed versions: 9.12.4.52, 9.12.4.54, 9.12.4.55, 9.12.4.56, 9.12.4.58, 9.12.4.62, 9.12.4.65, 9.12.4.67, 9.14.4.15, 9.14.4.17, 9.14.4.22, 9.14.4.23, 9.14.4.24, 9.16.3.23, 9.16.4, 9.16.4.14, 9.16.4.18, 9.16.4.19, 9.16.4.27, 9.16.4.38, 9.16.4.39, 9.16.4.42, 9.16.4.48, 9.16.4.55, 9.16.4.57, 9.16.4.61, 9.16.4.62, 9.16.4.67, 9.16.4.70, 9.16.4.71, 9.16.4.76, 9.16.4.82, 9.16.4.84, 9.16.4.9, 9.18.2.5, 9.18.2.7, 9.18.2.8, 9.18.3, 9.18.3.39, 9.18.3.46, 9.18.3.53, 9.18.3.55, 9.18.3.56, 9.18.4, 9.18.4.22, 9.18.4.24, 9.18.4.29, 9.18.4.34, 9.18.4.40, 9.18.4.47, 9.18.4.5, 9.18.4.50, 9.18.4.52, 9.18.4.53, 9.18.4.57, 9.18.4.8, 9.19.1, 9.19.1.12, 9.19.1.18, 9.19.1.22, 9.19.1.24, 9.19.1.27, 9.19.1.28, 9.19.1.31, 9.19.1.37, 9.19.1.38, 9.19.1.42, 9.19.1.5, 9.19.1.9, 9.20.1, 9.20.1.5, 9.20.2, 9.20.2.10, 9.20.2.21, 9.20.2.22, 9.20.3, 9.20.3.10, 9.20.3.13, 9.20.3.16, 9.20.3.20, 9.20.3.4, 9.20.3.7, 9.20.3.9, 9.20.4, 9.22.1.1, 9.22.1.2, 9.22.1.3, 9.22.1.6, 9.22.2, 9.22.2.4, 9.22.2.9, 9.23.1, 9.23.1.3, 9.23.1.7

Relevant Products

Click on a version to see all relevant bugs

Affected versions:9.12.4.26, 9.12.4.29, 9.12.4.30, 9.12.4.35, 9.12.4.37, 9.12.4.38, 9.12.4.39, 9.12.4.40, 9.12.4.41, 9.12.4.47, 9.12.4.48, 9.12.4.50, 9.14.3, 9.14.3.1, 9.14.3.11, 9.14.3.13, 9.14.3.15, 9.14.3.18, 9.14.3.9, 9.14.4, 9.14.4.12, 9.14.4.13, 9.14.4.14, 9.14.4.6, 9.14.4.7, 9.16.1.28, 9.16.2, 9.16.2.11, 9.16.2.13, 9.16.2.14, 9.16.2.3, 9.16.2.7, 9.16.3, 9.16.3.14, 9.16.3.15, 9.16.3.19, 9.16.3.3, 9.17.1, 9.17.1.10, 9.17.1.11, 9.17.1.13, 9.17.1.15, 9.17.1.20, 9.17.1.30, 9.17.1.33, 9.17.1.39, 9.17.1.45, 9.17.1.46, 9.17.1.7, 9.17.1.9, 9.18.1, 9.18.1.3, 9.18.2

Fixed versions: 9.12.4.52, 9.12.4.54, 9.12.4.55, 9.12.4.56, 9.12.4.58, 9.12.4.62, 9.12.4.65, 9.12.4.67, 9.14.4.15, 9.14.4.17, 9.14.4.22, 9.14.4.23, 9.14.4.24, 9.16.3.23, 9.16.4, 9.16.4.14, 9.16.4.18, 9.16.4.19, 9.16.4.27, 9.16.4.38, 9.16.4.39, 9.16.4.42, 9.16.4.48, 9.16.4.55, 9.16.4.57, 9.16.4.61, 9.16.4.62, 9.16.4.67, 9.16.4.70, 9.16.4.71, 9.16.4.76, 9.16.4.82, 9.16.4.84, 9.16.4.9, 9.18.2.5, 9.18.2.7, 9.18.2.8, 9.18.3, 9.18.3.39, 9.18.3.46, 9.18.3.53, 9.18.3.55, 9.18.3.56, 9.18.4, 9.18.4.22, 9.18.4.24, 9.18.4.29, 9.18.4.34, 9.18.4.40, 9.18.4.47, 9.18.4.5, 9.18.4.50, 9.18.4.52, 9.18.4.53, 9.18.4.57, 9.18.4.8, 9.19.1, 9.19.1.12, 9.19.1.18, 9.19.1.22, 9.19.1.24, 9.19.1.27, 9.19.1.28, 9.19.1.31, 9.19.1.37, 9.19.1.38, 9.19.1.42, 9.19.1.5, 9.19.1.9, 9.20.1, 9.20.1.5, 9.20.2, 9.20.2.10, 9.20.2.21, 9.20.2.22, 9.20.3, 9.20.3.10, 9.20.3.13, 9.20.3.16, 9.20.3.20, 9.20.3.4, 9.20.3.7, 9.20.3.9, 9.20.4, 9.22.1.1, 9.22.1.2, 9.22.1.3, 9.22.1.6, 9.22.2, 9.22.2.4, 9.22.2.9, 9.23.1, 9.23.1.3, 9.23.1.7

Top Cisco Defects

No bugs this month

Ready to prevent the next vendor outage?

Change history

2025-10-15 Added: 9.12.4.26, 9.12.4.29, 9.12.4.30, 9.12.4.35, 9.12.4.37, 9.12.4.38, 9.12.4.39, 9.12.4.40, 9.12.4.41, 9.12.4.47, 9.12.4.48, 9.12.4.50, 9.14.3, 9.14.3.1, 9.14.3.11, 9.14.3.13, 9.14.3.15, 9.14.3.18, 9.14.3.9, 9.14.4, 9.14.4.12, 9.14.4.13, 9.14.4.14, 9.14.4.6, 9.14.4.7, 9.16.1.28, 9.16.2, 9.16.2.11, 9.16.2.13, 9.16.2.14, 9.16.2.3, 9.16.2.7, 9.16.3, 9.16.3.14, 9.16.3.15, 9.16.3.19, 9.16.3.3, 9.17.1, 9.17.1.10, 9.17.1.11, 9.17.1.13, 9.17.1.15, 9.17.1.20, 9.17.1.30, 9.17.1.33, 9.17.1.39, 9.17.1.45, 9.17.1.46, 9.17.1.7, 9.17.1.9, 9.18.1, 9.18.1.3, 9.18.2

Links

Original Vendor Announcement

Cisco Integration

Learn more about where this data comes from

Cisco Integration

Bug Scrub Advisor

Streamline upgrades with automated vendor bug scrubs

Bug Scrub Advisor

BugZero Enterprise

Wish you caught this bug sooner? Get proactive today.

BugZero Enterprise