...
"show crypto ipsec sa" for the same outbound SPI shows multiple inbound SPIs. In failover the following messages might be flooded: "Failed to update IPSec failover runtime data on the standby unit. Outbound SPI 0x......." "show crypto ipsec sa inactive" shows multiple stuck IPSEC SAs, e.g.: "Inactive inbound SA: SPI: 0x1AAC9593, state: dead, reason: Phase 2 Error", and "clear crypto ipsec sa inactive" doesn't remove them. "show counters protocol ipsec" shows non-zero value: 'Protocol Counter Value Context IPSEC DELETE_SA_VPN_CTX_ASYNC_CMD_FAILURE 2 Summary" When cleared with "clear counters protocol ipsec" the counter increases with new inactive IPSEC SAs appearing. In the "debug crypto ipsec 255" the following error can be seen: "IPSEC ERROR: Failed to cleanup inbound SPI 0x............" Apart from excessive logging rate no impact for VPN traffic observed.
Crypto map based L2L VPN using IKEv1 or IKEv2. More detailed conditions currently unknown. Problem seen on FMC managed FTD on Firepower 2140
Reload of the device (in case of single device) or both devices at the same time (in case of failover pair) will remove the stuck IPSEC SAs.
Click on a version to see all relevant bugs
Cisco Integration
Learn more about where this data comes from
Bug Scrub Advisor
Streamline upgrades with automated vendor bug scrubs
BugZero Enterprise
Wish you caught this bug sooner? Get proactive today.