Buy or Renew
Buy or Renew
cancel
Turn on suggestions
Auto-suggest helps you quickly narrow down your search results by suggesting possible matches as you type.
Showing results for 
Search instead for 
Did you mean: 
cancel
Start a conversation
1381
Views
3
Helpful
8
Replies

Bug in IOS 17.12.3 Crypto Map related ACLS blank after reboot.

cryptz
Level 1
Level 1

‎04-09-2024 09:58 AM

I dont have a support contract, so just throwing this out there in case it makes its way to the right set of eyes.

Platform is a 4461, Cryptomap is applied to an add-in 10gb card, te1/0/4

Comming from 17.9.4a - no issues here.

Upgraded to 17.12.03 - VPN tunnels didnt come up, eventually realized it was because the match address ACLs associated to the crypto map are blank. I first tried adding the entries, it forced me to de-activate the cryptomap from the external interface first (i suspect a similar error is being encountered by the system itself at boot). Manually re-entering them works, but it doesnt persist through the next reboot.

Reverting to 17.9.4a fixed issue.

1 person had this problem
Labels:
8 Replies 8

Georg Pauwen
VIP
VIP

‎04-09-2024 12:09 PM

Just out of curiosity, and since crypto maps are considered 'legacy', do VTIs work without problems ?

cryptz
Level 1
Level 1

‎04-09-2024 02:39 PM

i am not sure, the router does 2x site to site vpns to sonicwalls, from what i have just read it looks like they would support vti but im not overly interested in changing this unless there is some dramatic performance benefit.

0 Helpful

cryptz
Level 1
Level 1

‎04-11-2024 12:30 PM

I have switched to a VTI setup as it doesn't require any ACL associated with the tunnel. This has resolved the issue with VPN on version 17.12.3. I'm not sure whether this functionality was intentionally phased out or if Cisco overlooked the lack of functionality.

Georg Pauwen
VIP
VIP
In response to cryptz

‎04-11-2024 12:54 PM

Hello,

actially, I have seen this a few times before, on different platforms. Not sure this is a bilug, I think Cisco wants to phase out crypto maps, as these are considered very legacy...

0 Helpful

cryptz
Level 1
Level 1

‎04-11-2024 12:59 PM

i would hope they would document that somewhere.. 

0 Helpful

Ab26
Level 1
Level 1

‎11-26-2024 01:03 PM

I upgraded the IOS recently and I faced the same problem. I can't however change all policy based VPNs to Route-based.

All Route-Based tunnel, didn't face any problem as they are not connected to crypto map

I cannot see a bug for this. Is there any work around?

0 Helpful

cryptz
Level 1
Level 1

‎11-26-2024 01:24 PM

not sure what version you upgraded to, but as others have stated it seems intentional though not well documented. reverting is likely your only option unless there is some newer firmware that adds the functionality back. 

 

0 Helpful

StevenMercer
Level 1
Level 1

‎02-13-2025 04:51 PM

It looks like this is a known issue. I just ran into it going to 17.12.3a; I didn't see the error messages in the log at boot, but the symptoms are the same.
https://bst.cisco.com/bugsearch/bug/CSCwj11789
Similar to what you experienced, I found that 17.9.4a/5a don't appear to have this issue.


0 Helpful
Customers Also Viewed These Support Documents