Buy or Renew
Buy or Renew
cancel
Turn on suggestions
Auto-suggest helps you quickly narrow down your search results by suggesting possible matches as you type.
Showing results for 
Search instead for 
Did you mean: 
cancel
Start a conversation
462
Views
0
Helpful
0
Replies

GETVPN Crypto ACL Change Issue

gc227s001
Level 1
Level 1

‎10-17-2018 07:07 AM

Hello,

 

We have a GETVPN domain running 30 routers with 3 Key Servers in COOP mode.

 

During a change yesterday we changed the crypto ACL on the Key Servers to add the following:

 

(Legacy deny (do not encrypt) statements output omitted)

access-list 170 ip deny any any dscp ef

access-list 170 ip deny any any dscp af41

(Legacy permit (encrypt) statements omitted)

 

This configuration was entered correctly on the Key Server (Cisco 3925 running 15.4(3)M) and verified.  Then a clear crypto was issued on a Group Member (ASR 1001X IOS XE running 03.16.02S) and the above ACL entries were altered when viewed on the Group member as:

 

(Legacy deny (do not encrypt) statements output omitted)

access-list 170 ip deny any any

(Legacy permit (encrypt) statements omitted)

 

On the Group Member the original legacy ACL entries were maintained but the two new dscp ACL entries were reduced to the single ip deny any any, which of course is not desirable.

 

Can anyone offer any insight as to what may be the issue here?  I have not tested this on a non-IOS XE Group Member as yet but any assistance is appreciated.

Labels:
0 Helpful
0 Replies 0
Customers Also Viewed These Support Documents