THIS FIELD NOTICE IS PROVIDED ON AN "AS IS" BASIS AND DOES NOT IMPLY ANY KIND OF GUARANTEE OR WARRANTY, INCLUDING THE WARRANTY OF MERCHANTABILITY. YOUR USE OF THE INFORMATION ON THE FIELD NOTICE OR MATERIALS LINKED FROM THE FIELD NOTICE IS AT YOUR OWN RISK. CISCO RESERVES THE RIGHT TO CHANGE OR UPDATE THIS FIELD NOTICE AT ANY TIME.
Migration to new field notice system
|Affected OS Type
|Affected Release Number
|Stale VPN Context entries cause ASA to stop encrypting traffic despite fix for CSCup37416.
Some versions of the Adaptive Security Appliance (ASA) software might cause the ASA to stop traffic encryption for stale VPN Context entries.
Stale VPN Context entries might cause some versions of the ASA software to stop traffic encryption. This applies to Internet Key Exchange Version 2 (IKEv2) LAN-to-LAN (L2L) tunnels configured with default IKEv2 rekey configuration that support both time and data-based rekeys. The affected traffic will be dropped by the ASA.
An ASA security appliance with a working L2L VPN tunnel suddenly stops traffic encryption. The Accelerated Security Path (ASP) table shows duplicate ASP entries and traffic that hits a stale ASP entry is dropped.
Upgrade the ASA to one of these ASA software versions:
9.1(7.12) or later
9.2(4.21) or later
9.4(4) or later
9.5(3.3) or later
9.6(2.5) or later
9.6(3) or later
9.7(1) or later
9.8(1) or later
Note: Prior to an upgrade of the ASA software, enter the copy running-config command in order to create a backup of the system configuration and save the output to a file. Follow the software upgrade, enter the more system:running-config command, and compare the output to the saved file in order to ensure the original configuration was restored.
Updated Cisco ASA software that addresses this issue is available from Cisco Software Central for customers with a valid service contract.
For More Information
If you require further assistance, or if you have any further questions regarding this field notice, please contact the Cisco Systems Technical Assistance Center (TAC) by one of the following methods:
Receive Email Notification For New Field Notices
Cisco Notification Service—Set up a profile to receive email updates about reliability, safety, network security, and end-of-sale issues for the Cisco products you specify.