BugZero | Cisco BugID CSCwe01015 - IKEv2/IPSec - phase 2 rekey failing when peer is b...

Cisco - Defect ID: CSCwe01015

IKEv2/IPSec - phase 2 rekey failing when peer is behind NAT

Cisco - Defect ID: CSCwe01015

IKEv2/IPSec - phase 2 rekey failing when peer is behind NAT

Last updated on July 7th, 2025

BugZero Risk Score
6.1 Medium

Overall: 6.1

Severity: 6.4

Lifecycle: 9.1

Popularity: 5.1

What is the BugZero Risk Score?

Cisco Integration

Learn more about where this data comes from

Cisco Integration

Learn more

Bug Scrub Advisor

Streamline upgrades with automated vendor bug scrubs

Bug Scrub Advisor

Learn more

BugZero Enterprise

Wish you caught this bug sooner? Get proactive today.

BugZero Enterprise

Learn more

Bug Details

Description

Symptom

- An IOS-XE router will fail an IKEv2 phase 2 rekey, when device and/or peer is behind a NAT/PAT device. - When receiving the CREATE_CHILD_SA exchange with TSi, TSr, Nonce, and SA data, it will log the following messages: *Jan 5 22:40:36.002: IKEv2:(SESSION ID = 73,SA ID = 1):Validating create child message *Jan 5 22:40:36.002: IKEv2-INTERNAL:(SESSION ID = 73,SA ID = 1):SM Trace-> SA: I_SPI=BC35C337F8344C7D R_SPI=3948A7C86A2C9F6B (I) MsgID = 8 CurState: CHILD_I_PROC Event: EV_PROC_MSG *Jan 5 22:40:36.002: IKEv2:(SESSION ID = 73,SA ID = 1):Processing CREATE_CHILD_SA exchange *Jan 5 22:40:36.002: IKEv2-INTERNAL:(SESSION ID = 73,SA ID = 1):Failed to verify the proposed policies *Jan 5 22:40:36.002: IKEv2-ERROR:(SESSION ID = 73,SA ID = 1):: There was no IPSEC policy found for received TS

Conditions

- IOS-XE router running 17.9(1a), 17.9(2a) or 17.10(1a). - Router and/or peer must be behind NAT/PAT device. - IPSec is configured in transport mode. - IKEv2 tunnel.

Workaround

- Downgrade to any 17.8 or lower version of code. - Use IKEv1.

Further Problem Description

Change history

2025-03-27 Added: 17.9.1, 17.9.2

Top Cisco Defects by Risk Score

9.65Defect ID: CSCwd45843
Auth Step latency for policy evaluation due to Garbage Collection activity.
9.65Defect ID: CSCwa92734
CUBE DTMF interworking fails from rtp-nte to OOB SIP methods
9.65Defect ID: CSCwj45822
Cisco ASA and FTD Software Remote Access VPN Brute Force Denial of Service Vulnerability
9.65Defect ID: CSCvo03458
PKI "revocation check crl none" does not fallback if CRL not reachable
9.65Defect ID: CSCvq05584
Cisco IOS and IOS XE Software Tcl Arbitrary Code Execution Vulnerability

Cisco Integration

Learn more about where this data comes from

Cisco Integration

Learn more

Bug Scrub Advisor

Streamline upgrades with automated vendor bug scrubs

Bug Scrub Advisor

Learn more

BugZero Enterprise

Wish you caught this bug sooner? Get proactive today.

BugZero Enterprise

Learn more

Ready to prevent the next vendor outage?

Get a demo

OPERATIONAL DEFECT DATABASE

Cisco - Defect ID: CSCwe01015

IKEv2/IPSec - phase 2 rekey failing when peer is behind NAT

Cisco - Defect ID: CSCwe01015

IKEv2/IPSec - phase 2 rekey failing when peer is behind NAT

Last updated on July 7th, 2025

BugZero Risk Score
6.1 Medium

Bug Details

Symptom

Conditions

Workaround

Further Problem Description

Links

Top Cisco Defects by Risk Score

Ready to prevent the next vendor outage?

OPERATIONAL DEFECT DATABASE

Cisco - Defect ID: CSCwe01015

IKEv2/IPSec - phase 2 rekey failing when peer is behind NAT

Cisco - Defect ID: CSCwe01015

IKEv2/IPSec - phase 2 rekey failing when peer is behind NAT

Last updated on July 7th, 2025

BugZero Risk Score6.1 Medium

Bug Details

Symptom

Conditions

Workaround

Further Problem Description

Links

Top Cisco Defects by Risk Score

Ready to prevent the next vendor outage?

BugZero Risk Score
6.1 Medium