Operational Defect Database
BugZero found this defect 2196 days ago.
Data sources
All data on this page is proprietary to BugZero® or gathered from public sources
WatchGuard Technologies | kA10H000000g3cqSAA
IKEv2 VPN to Cisco device can fail because of large IKE_Auth requests
Last update date:
5/15/2018
Affected products:
Firebox M200
Firebox M300
Firebox M270
Firebox M370
Firebox M470
Firebox M570
Firebox M670
Firebox M290
Firebox M390
Firebox M400
Firebox M500
Firebox M440
Affected releases:
All
Fireware
12.x
12.0.x
12.1.x
12.1
12.1.1
12.1.3
12.10.x
12.2.x
12.3.x
12.4.x
Fixed releases:
All
Description:
Issue
If you configure an IKEv2-based branch office VPN tunnel to a Cisco or other device that sends larger than expected IKE_Auth requests, the Firebox will drop those requests and the VPN will fail. If this occurs, you see a log message that looks like this: Apr 24 10:50:07 iked[1869]: (203.0.113.2<->198.51.100.2)drop the received IKEv2 message from 198.51.100.2:4500 - reason="ike2_CheckParsePayload_CFG: the recevied CFG payload has the invalid type or Attributes"
Workaround/Solution
To avoid this issue, you must use the command no config-exchange request on the Cisco or other remote device to disable the config-exchange request.
