BugZero | Cisco BugID CSCwc87891 - ENH: IOS-XE Routers should allow to use the IKEv2 ...

Cisco - Defect ID: CSCwc87891

ENH: IOS-XE Routers should allow to use the IKEv2 default Policy if an incomplete Policy is set

Cisco - Defect ID: CSCwc87891

ENH: IOS-XE Routers should allow to use the IKEv2 default Policy if an incomplete Policy is set

Last updated on May 1st, 2025

BugZero Risk Score
3.4 Low

Overall: 3.4

Severity: 3.7

Lifecycle: 7.8

Popularity: 4.6

What is the BugZero Risk Score?

Cisco Integration

Learn more about where this data comes from

Cisco Integration

Learn more

Bug Scrub Advisor

Streamline upgrades with automated vendor bug scrubs

Bug Scrub Advisor

Learn more

BugZero Enterprise

Wish you caught this bug sooner? Get proactive today.

BugZero Enterprise

Learn more

Bug Details

Views: 35

Description

Symptom

The tunnel fails on phase 1 with the following error message: If the router works as "INITIATOR": *Sep 2 04:41:43.095: %CRYPTO-6-ISAKMP_ON_OFF: ISAKMP is ON *Sep 2 04:41:43.095: IKEv2:% Getting preshared key from profile keyring KEYRING *Sep 2 04:41:43.095: IKEv2:% Matched peer block 'ALL' *Sep 2 04:41:43.095: IKEv2:Searching Policy with fvrf 0, local address 10.96.22.10 *Sep 2 04:41:43.096: IKEv2-ERROR:No Matching policy with fvrf 0, local addr 10.96.22.10 *Sep 2 04:41:43.096: IKEv2-ERROR:Failed to initiate sa If the router works as "RESPONDER": *Sep 2 04:42:27.099: IKEv2:(SESSION ID = 16,SA ID = 1):Verify SA init message *Sep 2 04:42:27.099: IKEv2:(SESSION ID = 16,SA ID = 1):Insert SA *Sep 2 04:42:27.100: IKEv2:Searching Policy with fvrf 0, local address 10.96.22.10 *Sep 2 04:42:27.100: IKEv2-ERROR:No Matching policy with fvrf 0, local addr 10.96.22.10 *Sep 2 04:42:27.101: IKEv2-ERROR:(SESSION ID = 16,SA ID = 1):: Failed to locate an item in the database *Sep 2 04:42:27.101: IKEv2:(SESSION ID = 16,SA ID = 1):Failed SA init exchange *Sep 2 04:42:27.101: IKEv2-ERROR:(SESSION ID = 16,SA ID = 1):Initial exchange failed: Initial exchange failed *Sep 2 04:42:27.102: IKEv2:(SESSION ID = 16,SA ID = 1):Abort exchange *Sep 2 04:42:27.102: IKEv2:(SESSION ID = 16,SA ID = 1):Deleting SA

Conditions

Incomplete IKEv2 Policy configured: u22-r1#sh run all | sec ikev2 policy crypto ikev2 policy Test ! Policy Incomplete(MUST have atleast one complete proposal attached) crypto ikev2 policy default match fvrf any proposal default

Workaround

> Configure a complete IKEv2 Policy (set a complete proposal), or > Remove the incomplete IKEv2 Policy to use the default one

Further Problem Description

We have seen that, if we configure an incomplete IKEv2 Proposal, the router fallbacks to the default one with no issues, we would like to implement this ability on the IKEv2 Policy as well

Change history

2025-05-01 Added: 17.3.5

Relevant Products

Click on a version to see all relevant bugs

Affected versions:17.3.5

Fixed versions: No known fixed versions

Relevant Products

Click on a version to see all relevant bugs

Affected versions:17.3.5

Fixed versions: No known fixed versions

Top Cisco Defects

9.7Defect ID: CSCwq31287
Cisco IOS and IOS XE Software SNMP Denial of Service and Remote Code Execution Vulnerability
9.7Defect ID: CSCwj45822
Cisco ASA and FTD Software Remote Access VPN Brute Force Denial of Service Vulnerability
9.7Defect ID: CSCwe01579
Cat9800 wncd reload while creating an RRM Client Coverage on large scale setup
9.7Defect ID: CSCwc66646
Unexpected Reload due to Segmentation Fault in the CCSIP_SPI_CONTROL process
9.7Defect ID: CSCwf08698
Cat9k Crashes Unexpectedly due to a Fault in the 'TLSCLIENT_PROCESS'

Ready to prevent the next vendor outage?

Get a demo

Cisco - Defect ID: CSCwc87891

ENH: IOS-XE Routers should allow to use the IKEv2 default Policy if an incomplete Policy is set

Cisco - Defect ID: CSCwc87891

ENH: IOS-XE Routers should allow to use the IKEv2 default Policy if an incomplete Policy is set

Last updated on May 1st, 2025

BugZero Risk Score3.4 Low

Bug Details

Symptom

Conditions

Workaround

Further Problem Description

Top Cisco Defects

Ready to prevent the next vendor outage?

Links

BugZero Risk Score
3.4 Low