07-10-2012 06:30 AM
I had windows domain controllers where in their ipsec tunnels were not working. One of the domain controllers had CSS on the path and i suspect CSS is dropping these packets. But in another data centre i could see similar tunnel working through CSS. Just confused with it.
Only one difference what i could find is the working CSS doesnt have any ACLs applied to the ingress interface. The non working one has an ACL on the interface, but allowing any tcp/udp and even i have put any any there. Could anyone pls help me here.
Thanks,
Shobith
07-11-2012 05:45 AM
Hi Shobith,
I too have this problem, will be good if we get an answer!!
Barry
07-23-2012 03:34 AM
Got the answer with some research and fixed it, Cisco CSS supports ipsec passthrough but without the ACL feature enabled. In my load balancer, ACL was enabled globally and access list was applied to the interface. Eventhough the access list was permit any/any, it was blocking ipsec traffic. So i had to disable the ACL globally on CSS by using 'acl disable' command and then remove the access list from the interface. But bear in mind, if you try to remove the access list from the interface alone without disabling it globally, the interface will start blocking all traffic going through that interface. Found below document useful.
Discover and save your favorite ideas. Come back to expert answers, step-by-step guides, recent topics, and more.
New here? Get started with these tips. How to use Community New member guide