Ipsec passthrough support for CSS

Shobith K · ‎07-10-2012

I had windows domain controllers where in their ipsec tunnels were not working. One of the domain controllers had CSS on the path and i suspect CSS is dropping these packets. But in another data centre i could see similar tunnel working through CSS. Just confused with it.

Does CSS support ipsec passthrough (AH/ESP) ?
Is there anywhere were we can see these drops are logged?

Only one difference what i could find is the working CSS doesnt have any ACLs applied to the ingress interface. The non working one has an ACL on the interface, but allowing any tcp/udp and even i have put any any there. Could anyone pls help me here.

Thanks,

Shobith

browe747csc · ‎07-11-2012

Hi Shobith,

I too have this problem, will be good if we get an answer!!

Barry

Shobith K · ‎07-23-2012

Got the answer with some research and fixed it, Cisco CSS supports ipsec passthrough but without the ACL feature enabled. In my load balancer, ACL was enabled globally and access list was applied to the interface. Eventhough the access list was permit any/any, it was blocking ipsec traffic. So i had to disable the ACL globally on CSS by using 'acl disable' command and then remove the access list from the interface. But bear in mind, if you try to remove the access list from the interface alone without disabling it globally, the interface will start blocking all traffic going through that interface. Found below document useful.

http://www.cisco.com/en/US/docs/app_ntwk_services/data_center_app_services/css11500series/v7.40/configuration/security/guide/Access.html