Cisco ASA Software is affected by this vulnerability if the system is configured to terminate IKEv1 or IKEv2 VPN connections or if configured as an Easy VPN hardware client.Cisco ASA Software configured to terminate IKEv1 or IKEv2 VPN ConnectionsCisco ASA Software is affected by this vulnerability if the system is configured to terminate IKEv1 or IKEv2 VPN connections.

This includes the following:LAN-to-LAN IPsec VPN
Remote access VPN using the IPsec VPN client
Layer 2 Tunneling Protocol (L2TP)-over-IPsec VPN connections
IKEv2 AnyConnect

Cisco ASA Software is not affected by this vulnerability if the system is configured to terminate only the following VPN connections:Clientless SSL
AnyConnect SSL

To determine whether the Cisco ASA is configured to terminate IKEv1 or IKEv2 VPN
connections, a crypto map must be configured for at least one
interface.

Administrators should use the show running-config crypto map | include interface command and verify that it returns output.

The following example shows a crypto map called outside_map configured on the outside interface:
ciscoasa# show running-config crypto map | include interface
crypto map outside_map interface outside
Note: Due to a misconfiguration or to a partial configuration, the IKEv1 or IKEv2 process may still accept incoming IKE messages even if a crypto map is not configured.

Administrators who do not have a crypto map configured should also check that IKEv1 or IKEv2 is disabled on the affected system.

To verify that IKEv1 is enabled, use the following commands and verify that the command returns output:show running-config crypto ikev1 | include enable command for Cisco ASA Software releases 8.4 and later
show running-config crypto isakmp | include enable command for Cisco ASA Software releases between 7.2.1 and 8.4
show running-config | include isakmp enable command for Cisco ASA Software releases prior to 7.2.1

To verify that IKEv2 is enabled, use the show running-config crypto ikev2 | include enable and verify that it returns output.Cisco ASA Software Configured as Easy VPN Hardware ClientCisco ASA Software is affected by this vulnerability if the system is configured as an Easy VPN hardware client.To verify that the system is configured as Easy VPN hardware client, use the show running-config vpnclient | include enable and verify that it returns output.

The following example shows Cisco ASA configured as an Easy VPN hardware client:
ciscoasa# show running-config vpnclient | include enablevpnclient enable
Note: To exploit this vulnerability on Cisco ASA Software configured as an Easy VPN hardware client, an attacker must force the Cisco ASA to connect to a malicious VPN server.No other Cisco products are currently known to be affected by this vulnerability.