BugZero | Cisco BugID CSCwc87891 - ENH: IOS-XE Routers should allow to use the IKEv2 ...

OPERATIONAL DEFECT DATABASE

...

BugZero | Cisco BugID CSCwc87891 - ENH: IOS-XE Routers should allow to use the IKEv2 ...

Cisco - Defect ID: CSCwc87891

ENH: IOS-XE Routers should allow to use the IKEv2 default Policy if an incomplete Policy is set

Cisco - Defect ID: CSCwc87891

ENH: IOS-XE Routers should allow to use the IKEv2 default Policy if an incomplete Policy is set

Last updated on May 1st, 2025

BugZero Risk Score
3.4 Low

Overall: 3.4

Severity: 3.7

Lifecycle: 7.8

Popularity: 4.6

What is the BugZero Risk Score?

Cisco Integration

Learn more about where this data comes from

Cisco Integration

Learn more

Bug Scrub Advisor

Streamline upgrades with automated vendor bug scrubs

Bug Scrub Advisor

Learn more

BugZero Enterprise

Wish you caught this bug sooner? Get proactive today.

BugZero Enterprise

Learn more

Bug Details

Description

Symptom

The tunnel fails on phase 1 with the following error message: If the router works as "INITIATOR": *Sep 2 04:41:43.095: %CRYPTO-6-ISAKMP_ON_OFF: ISAKMP is ON *Sep 2 04:41:43.095: IKEv2:% Getting preshared key from profile keyring KEYRING *Sep 2 04:41:43.095: IKEv2:% Matched peer block 'ALL' *Sep 2 04:41:43.095: IKEv2:Searching Policy with fvrf 0, local address 10.96.22.10 *Sep 2 04:41:43.096: IKEv2-ERROR:No Matching policy with fvrf 0, local addr 10.96.22.10 *Sep 2 04:41:43.096: IKEv2-ERROR:Failed to initiate sa If the router works as "RESPONDER": *Sep 2 04:42:27.099: IKEv2:(SESSION ID = 16,SA ID = 1):Verify SA init message *Sep 2 04:42:27.099: IKEv2:(SESSION ID = 16,SA ID = 1):Insert SA *Sep 2 04:42:27.100: IKEv2:Searching Policy with fvrf 0, local address 10.96.22.10 *Sep 2 04:42:27.100: IKEv2-ERROR:No Matching policy with fvrf 0, local addr 10.96.22.10 *Sep 2 04:42:27.101: IKEv2-ERROR:(SESSION ID = 16,SA ID = 1):: Failed to locate an item in the database *Sep 2 04:42:27.101: IKEv2:(SESSION ID = 16,SA ID = 1):Failed SA init exchange *Sep 2 04:42:27.101: IKEv2-ERROR:(SESSION ID = 16,SA ID = 1):Initial exchange failed: Initial exchange failed *Sep 2 04:42:27.102: IKEv2:(SESSION ID = 16,SA ID = 1):Abort exchange *Sep 2 04:42:27.102: IKEv2:(SESSION ID = 16,SA ID = 1):Deleting SA

Conditions

Incomplete IKEv2 Policy configured: u22-r1#sh run all | sec ikev2 policy crypto ikev2 policy Test ! Policy Incomplete(MUST have atleast one complete proposal attached) crypto ikev2 policy default match fvrf any proposal default

Workaround

> Configure a complete IKEv2 Policy (set a complete proposal), or > Remove the incomplete IKEv2 Policy to use the default one

Further Problem Description

We have seen that, if we configure an incomplete IKEv2 Proposal, the router fallbacks to the default one with no issues, we would like to implement this ability on the IKEv2 Policy as well

Change history

2025-05-01 Added: 17.3.5

Top Cisco Defects

9.7Defect ID: CSCwd45843
Auth Step latency for policy evaluation due to Garbage Collection activity.
9.7Defect ID: CSCwe01579
Cat9800 wncd reload while creating an RRM Client Coverage on large scale setup
9.7Defect ID: CSCwj73634
Full or partial 9800 configuration loss after HA SSO failover
9.7Defect ID: CSCwj74769
After [non]pairwise key enabling and reboot, bfd ip and port mismatch on device.
9.7Defect ID: CSCwh87343
Cisco IOS XE Software Web UI Privilege Escalation Vulnerability

Cisco Integration

Learn more about where this data comes from

Cisco Integration

Learn more

Bug Scrub Advisor

Streamline upgrades with automated vendor bug scrubs

Bug Scrub Advisor

Learn more

BugZero Enterprise

Wish you caught this bug sooner? Get proactive today.

BugZero Enterprise

Learn more

Ready to prevent the next vendor outage?

Get a demo

OPERATIONAL DEFECT DATABASE

Cisco - Defect ID: CSCwc87891

ENH: IOS-XE Routers should allow to use the IKEv2 default Policy if an incomplete Policy is set

Cisco - Defect ID: CSCwc87891

ENH: IOS-XE Routers should allow to use the IKEv2 default Policy if an incomplete Policy is set

Last updated on May 1st, 2025

BugZero Risk Score3.4 Low

Bug Details

Symptom

Conditions

Workaround

Further Problem Description

Links

Top Cisco Defects

Ready to prevent the next vendor outage?

BugZero Risk Score
3.4 Low