Core issue
This problem is due to the presence of Cisco bug ID CSCsd48512.
In order for this issue to occur, the PIX Firewall must have VPN tunnels that terminate on an interface, and its peers must disconnect and then reconnect.
Note: One symptom of this problem is that the Missing SA failures field in the show ipsec stat command increments:
fw# show ipsec stat
IPSec Global Statistics
-----------------------
Active tunnels: 758
Previous tunnels: 851185
Inbound
Bytes: 2889705611
Decompressed bytes: 2889705611
Packets: 101359204
Dropped packets: 1807
Replay failures: 6
Authentications: 101357399
Authentication failures: 1799
Decryptions: 101357399
Decryption failures: 0
Outbound
Bytes: 1655641563
Uncompressed bytes: 1656289143
Packets: 101505107
Dropped packets: 2472907
Authentications: 101682816
Authentication failures: 0
Encryptions: 101682816
Encryption failures: 0
Protocol failures: 0
Missing SA failures: 2472909
System capacity failures: 0
Resolution
For a workaround, perform either of these steps:
- Reboot the PIX.
- Download and upgrade the software version to any of these versions:
- 7.0(5)
- 7.3(0.1)
- 7.2(0.46)
- 7.0(4.13)
- 7.1(2.1)