BugZero | Cisco BugID CSCwf09036 - vManage Configures incorrect IKEv2 lifetime for IP...

Cisco - Defect ID: CSCwf09036

vManage Configures incorrect IKEv2 lifetime for IPSec tunnels

Cisco - Defect ID: CSCwf09036

vManage Configures incorrect IKEv2 lifetime for IPSec tunnels

Last updated on 8/28/2024

Overall: 7.87.8

Severity: 8.28.2

Lifecycle: 9.19.1

Popularity: 4.64.6

What is the BugZero Risk Score?

Vendor details

No defect details.

Overall: 7.87.8

Severity: 8.28.2

Lifecycle: 9.19.1

Popularity: 4.64.6

What is the BugZero Risk Score?

Vendor details

No defect details.

Symptom

***Customer has configured a feature template " Cisco VPN Interface IPsec " with the " IKE Rekey Interval (seconds)" as "28800" but the router itself shows "86400". ***The device shows " in sync" and no errors while pushing the template from vManage GUI ***The router has been rebooted with no change. Two devices "CSR1000V" are showing the same behavior, version 17.03.05.0.9 and vManage version 20.6.4. ***We found that from vmanage " local config>>> intent" shows the correct config but " local config>>>> config" shows the incorrect config: -------------INTENT: interface ipsec5 description "x.x.x.x" ip address x.x.x.x/x tunnel-source-interface GigabitEthernet1 tunnel-destination x.x.x.x application none ike version 2 rekey 28800 <<<<<<<<<<<<<<<<<<<<<<<< cipher-suite aes256-cbc-sha2 group 14 authentication-type pre-shared-key pre-shared-secret x.x.x.x local-id x.x.x.x ! ! ! ipsec rekey 27000 replay-window 1024 cipher-suite aes256-gcm perfect-forward-secrecy none ! mtu 1400 no shutdown ! --------------CONFIG: crypto ikev2 profile if-ipsec5-ikev2-profile authentication local pre-share authentication remote pre-share no config-exchange request dpd 10 3 on-demand identity local address x.x.x.x keyring local if-ipsec5-ikev2-keyring lifetime 86400 <<<<<<<<<<<<<<<<<<<<<<<< match identity remote address x.x.x.x *** Show commands from router: #sh run all | s ^crypto ikev2 profile if-ipsec5-ikev2-profile crypto ikev2 profile if-ipsec5-ikev2-profile ! Profile incomplete (no match identity or match certificate statement) ! Profile incomplete (no local and/or remote authentication method specified) no dynamic description match identity remote address x.x.x.x x.x.x.x identity local address x.x.x.x authentication remote pre-share authentication local pre-share keyring local if-ipsec5-ikev2-keyring lifetime 86400 <<<<<<<<<<<<<<<<<<<<< lifetime certificate dpd 10 3 on-demand aaa authentication eap aaa authentication anyconnect-eap config-exchange set send config-exchange set accept no config-exchange request no shutdown ``` #sh crypto ikev2 sa remote x.x.x.x Tunnel-id Local Remote fvrf/ivrf Status 5 x.x.x.x/4500 x.x.x.x/4500 none/245 READY Encr: AES-CBC, keysize: 256, PRF: SHA256, Hash: SHA256, DH Grp:14, Auth sign: PSK, Auth verify: PSK Life/Active Time: 86400/9522 sec <<<<<<<<<<<<<<<<<<<<

Conditions

"CSR1000V" version 17.03.05.0.9 vManage version 20.6.4. " IKE Rekey Interval (seconds)" as "28800"

Workaround

Further Problem Description

Original Vendor Announcement

9.65Defect ID: CSCwd45843
Auth Step latency for policy evaluation due to Garbage Collection activity.
9.65Defect ID: CSCwa92734
CUBE DTMF interworking fails from rtp-nte to OOB SIP methods
9.65Defect ID: CSCwj45822
Cisco ASA and FTD Software Remote Access VPN Brute Force Denial of Service Vulnerability
9.65Defect ID: CSCvo03458
PKI "revocation check crl none" does not fallback if CRL not reachable
9.65Defect ID: CSCvq05584
Cisco IOS and IOS XE Software Tcl Arbitrary Code Execution Vulnerability

Ready to prevent the next vendor outage?

Get a demo

OPERATIONAL DEFECT DATABASE

Cisco - Defect ID: CSCwf09036

vManage Configures incorrect IKEv2 lifetime for IPSec tunnels

Cisco - Defect ID: CSCwf09036

vManage Configures incorrect IKEv2 lifetime for IPSec tunnels

Last updated on 8/28/2024

Vendor details

Vendor details

Description

Symptom

Conditions

Workaround

Further Problem Description

Links

Top Cisco defects by risk score

Ready to prevent the next vendor outage?