IOS IPsec bugs

[Craig Illman]

I have a Nortel Contivity 2000 running 2.11 with multiple Cisco branches
attached. One customer with two Cisco 2611 sites was running 12.0.7 back to
us. He was having trouble between his sites. He upgraded to 12.1.1 and had
problems connecting reliably back to us.

Today I upgraded one site that was having regular trouble to 12.1.2T, within
an hour I was downgrading back to 12.0.7.

On my test Cisco 1720 I put on 12.1.2T, as well, this AM. I had trouble just
getting it to Dial on Demand to the ISP and ping out to the Internet
reliably. I downgraded to 12.0.7 and it would build a tunnel in a couple
pings. My opinion is that 12.1 needs a bit more work.

-----Original Message-----
From: Tina Bird [mailto:tbird at PRECISION-GUESSWORK.COM]
Sent: Monday, May 22, 2000 4:03 PM
To: VPN at SECURITYFOCUS.COM
Subject: IOS IPsec bugs


Hi all --

I've been configured a bunch of Cisco 3662 routers to do
IPsec, and we've discovered that IOS version 12.0(7)T, which
shipped with our routers, has an IPsec bug.

When the SA expires at 3600 seconds, the IOS fails to
negotiate a new security association.  The connection will
set itself back up if you manually clear the security
associations and keys, but not otherwise.

We were advised to upgrade to 12.1.1.1(T) which seems to be
more stable.  Has anyone else seen this behavior?

thanks -- Tina

VPN is sponsored by SecurityFocus.COM

VPN is sponsored by SecurityFocus.COM