Launching soon: The world's first vendor agnostic bug scrubLearn more & join waitlist
OPERATIONAL DEFECT DATABASE
...
...
The stale entry that is formed during simultaneous IKE establishment scenario (gets cleared via CSCwe40463) but takes almost 120 seconds to clear in some scenarios. This will possibly cause the IPSec traffic drop for almost 120 seconds. FPASA(config)# show crypto ikev2 sa detail IKEv2 SAs: Session-id:27, Status:UP-ACTIVE, IKE count:2, CHILD count:1 Tunnel-id Local Remote fvrf/ivrf Status Role 11903071 100.0.0.1/500 200.0.0.1/500 READY INITIATOR Encr: AES-CBC, keysize: 192, Hash: SHA256, DH Grp:14, Auth sign: PSK, Auth verify: PSK Life/Active Time: 0/111 sec Session-id: 0 Status Description: Negotiation done Local spi: 6329B1B8B2E89638 Remote spi: 0BDD15A0C66276D1 Local id: 100.0.0.1 Remote id: 200.0.0.1 Local req mess id: 2 Remote req mess id: 0 Local next mess id: 3 Remote next mess id: 0 Local req queued: 2 Remote req queued: 0 Local window: 1 Remote window: 1 DPD configured for 10 seconds, retry 2 NAT-T is not detected IKEv2 Fragmentation Configured MTU: 576 bytes, Overhead: 28 bytes, Effective MTU: 548 bytes Parent SA Extended Status: Delete in progress: FALSE Marked for delete: FALSE Tunnel-id Local Remote fvrf/ivrf Status Role 11954861 100.0.0.1/500 200.0.0.1/500 READY RESPONDER Encr: AES-CBC, keysize: 192, Hash: SHA256, DH Grp:14, Auth sign: PSK, Auth verify: PSK Life/Active Time: 0/111 sec Session-id: 27 Status Description: Negotiation done Local spi: 2CC39232B7AB3D70 Remote spi: E4BF519CD19AF5A4 Local id: 100.0.0.1 Remote id: 200.0.0.1 Local req mess id: 6 Remote req mess id: 7 Local next mess id: 6 Remote next mess id: 7 Local req queued: 6 Remote req queued: 7 Local window: 1 Remote window: 1 DPD configured for 10 seconds, retry 2 NAT-T is not detected IKEv2 Fragmentation Configured MTU: 576 bytes, Overhead: 28 bytes, Effective MTU: 548 bytes Parent SA Extended Status: Delete in progress: FALSE Marked for delete: FALSE Child sa: local selector 220.159.54.65/0 - 220.159.54.65/65535 remote selector 220.159.55.78/0 - 220.159.55.78/65535 ESP spi in/out: 0x50cc7b6b/0x86c5c0a1 AH spi in/out: 0x0/0x0 CPI in/out: 0x0/0x0 Encr: AES-CBC, keysize: 128, esp_hmac: SHA256 ah_hmac: None, comp: IPCOMP_NONE, mode tunnel
Site-to-site VPN between two firewalls. Both firewalls triggers VPN simultaneously which causes duplicate IKEv2 SA. However, one IKEv2 SA is not cleared. The peer device runs an old software release without the fix of CSCvh93910
1) Upgrade a peer device to image having fix of CSCvh93910 2) Clear IKEv2 SA manually.