Buy or Renew
Buy or Renew
cancel
Turn on suggestions
Auto-suggest helps you quickly narrow down your search results by suggesting possible matches as you type.
Showing results for 
Search instead for 
Did you mean: 
cancel
Start a conversation
275
Views
0
Helpful
3
Replies

two ACL's with same host IP address

cassidywvelodrome
Level 1
Level 1

‎11-16-2016 10:09 AM - edited ‎03-05-2019 07:29 AM

We attempted to add this ACL to two of our ars's:

ASR1000 Software (X86_64_LINUX_IOSD-ADVENTERPRISEK9-M), Version 15.4(2)S1

ip access-list extended RIMINIvegas
permit ip host 204.63.59.37 host 136.179.14.60

The router has another acl with the same host IP address - 

ip access-list extended TSYS
permit ip host 204.63.59.37 host 206.209.38.55

After adding the RIMINIvegas acl, with no errors we see this in the config:

ip access-list extended RIMINIvegas
ip access-list extended TSYS
permit ip host 204.63.59.37 host 206.209.38.55

Any ideas?  Is a TAC case required?

Thanks

Labels:
0 Helpful
3 Replies 3

Richard Burts
Hall of Fame
Hall of Fame

‎11-17-2016 06:46 AM

Here are a couple of ideas which I hope may help.

- It should not be a problem to have two access lists which both contain the same host IP address. Whether they work as expected depends on how the access lists are applied.

- Would you post a screen shot of the command line input and output as you configure the access list RIMINIvegas

- Would you then post the output of the command show access-list RIMINIvegas

HTH

Rick

HTH

Rick
0 Helpful

cassidywvelodrome
Level 1
Level 1
In response to Richard Burts

‎11-17-2016 07:03 AM

Both ACL's are for IPsec tunnels.  This router has 8 tunnels in production with no issues.  This ACL is in the config after we enter it. 

This is the command string,  (removed the IP addresses and router name for security reasons)

ip access-list extended RIMINIvegas
permit ip host x.x.x.x host x.x.x.x

Phase 1 of the tunnel comes up, then goes down, and the permit statement disappears.  My peers though I was crazy so they tried it again last night.

Same result.

I can't post the commands as I enter them, we have strict change control, but I can assure you that the commands work, and there are no error messages.

Output of sh ip access-list

router1#sh ip access-list RIMINIvegas        
Extended IP access list RIMINIvegas
router1#

TAC case time!

0 Helpful

Richard Burts
Hall of Fame
Hall of Fame
In response to cassidywvelodrome

‎11-17-2016 07:38 AM

Am I understanding correctly that after you enter the commands that the permit statement does show up in the access list and then when the VPN tunnel attempts to come up that the permit statement disappears from the access list? If so it certainly is TAC case time.

HTH

Rick

HTH

Rick
0 Helpful
Customers Also Viewed These Support Documents
Review Cisco Networking for a $25 gift card