Bug in IOS 17.12.3 Crypto Map related ACLS blank after reboot.

cryptz · ‎04-09-2024

I dont have a support contract, so just throwing this out there in case it makes its way to the right set of eyes.

Platform is a 4461, Cryptomap is applied to an add-in 10gb card, te1/0/4

Comming from 17.9.4a - no issues here.

Upgraded to 17.12.03 - VPN tunnels didnt come up, eventually realized it was because the match address ACLs associated to the crypto map are blank. I first tried adding the entries, it forced me to de-activate the cryptomap from the external interface first (i suspect a similar error is being encountered by the system itself at boot). Manually re-entering them works, but it doesnt persist through the next reboot.

Reverting to 17.9.4a fixed issue.

Georg Pauwen · ‎04-09-2024

Just out of curiosity, and since crypto maps are considered 'legacy', do VTIs work without problems ?

cryptz · ‎04-09-2024

i am not sure, the router does 2x site to site vpns to sonicwalls, from what i have just read it looks like they would support vti but im not overly interested in changing this unless there is some dramatic performance benefit.

cryptz · ‎04-11-2024

I have switched to a VTI setup as it doesn't require any ACL associated with the tunnel. This has resolved the issue with VPN on version 17.12.3. I'm not sure whether this functionality was intentionally phased out or if Cisco overlooked the lack of functionality.

Georg Pauwen · ‎04-11-2024

Hello,

actially, I have seen this a few times before, on different platforms. Not sure this is a bilug, I think Cisco wants to phase out crypto maps, as these are considered very legacy...

cryptz · ‎04-11-2024

i would hope they would document that somewhere..