cancel
Showing results for 
Search instead for 
Did you mean: 
cancel
838
Views
0
Helpful
3
Replies

Changes from 15.0 - 15.1 (IP CEF? Zone Based Firewall?)

Tim Butters
Level 1
Level 1

Hi Guys,

Currently have a 2911 in place running as a hub for a hub and spoke DVTI IPSec setup.

It has a zone based firewall (with the DVTI's being in their own zone etc...) and everything works as it should. The two zone pairs between the safe zone and vpn zone are both inspect on egress and ingress.

I have now purchased a second 2911 to act as another hub - I've set up everything exactly the same as Hub1 the only difference is this router is software version 15.2 whilst Hub1 is 15.0.

Traffic does not want to flow from Hub1 to Hub2, whilst it works for Hub2 to Hub1 - It has an inspection rule on the firewall so for a short time, a client on Hub1 can talk to the client on Hub2 whilst the inspect firewall is open but that is it.

I've tried all sorts of different configures. I then turned IP CEF off on Hub2 (15.2) and then low and behold, traffic flew across...

Does anyone know of any major changes that have happened in these software releases? Anyone have any experience of this? I will be hitting the Cisco docs tomorrow but i'm hoping someone has run into this before.

Many Thanks

Tim

3 Replies 3

Tim Butters
Level 1
Level 1

I've spent the last few hours trialling different IOS versions.

My config works all the way up to 15.0(1)M7, any further up and it stops working unless I change the inspect rules to pass rules or issue No Ip CEF.

I have opened a TAC to get further insight as I cannot find anything in the docs..

Sent from Cisco Technical Support iPhone App

Hi Tim,

I am also having similare issue with a DMVPN setup where the zone based firewall just drops packtes like doesn't seem to track them correclty having seem similare isseus with gre and 15.1 i diabled CEF out right and all was good ?

I don't supose you fixed it / had a good result from your TAC ?

Cheers

-Olly

Tim Butters
Level 1
Level 1

Hi Olly,

I've been intouch with TAC who have linked this with a bug affecting other features. It is reported as being fixed and is currently in testing and set to be released in the next IOS. I am tracking the bug for further info:

Bug # CSCtw45480

Sent from Cisco Technical Support iPhone App

Review Cisco Networking for a $25 gift card