- Subscribe to RSS Feed
- Mark as New
- Mark as Read
- Bookmark
- Subscribe
- Printer Friendly Page
- Report Inappropriate Content
06-22-2009 06:05 PM - edited 03-08-2019 06:26 PM
Core issue
This problem occurs on routers that run code prior to Cisco Release 12.3(8)T.
The routers perform a double Access Control List (ACL) check on the inbound packets; once on the encrypted packet and then again on the just-decrypted clear-text packet. Packets drop during the double-check, if interesting traffic is not defined in the Context Based Access Control (CBAC) configuration.
Resolution
As a workaround, allow the remote VPN subnet through the CBAC configuration.
Refer to Configuring a Router IPsec Tunnel Private-to-Private Network with NAT and a Static for additional help on the configuration
Note: On routers that run code 12.3(8)T or later, the Crypto Access Check on Clear-Text Packets feature removes the clear-text packet check that goes through the IPSec tunnel just prior to encryption, or just after decryption.
Refer to the How ACL Access Checking Worked Prior to This Feature section of Crypto Access Check on Clear-Text Packets for additional help on how ACL checks worked prior to this new feature.
Refer to the Prerequisites for Crypto Access Check on Clear-Text Packets section of Crypto Access Check on Clear-Text Packets for this feature if there is a plan to upgrade the router to version 12.3(8)T.
Problem Type
Troubleshoot software feature
Product Family
Firewall - PIX 500 series
Routers