Buy or Renew
Buy or Renew
cancel
Turn on suggestions
Auto-suggest helps you quickly narrow down your search results by suggesting possible matches as you type.
Showing results for 
Search instead for 
Did you mean: 
cancel
Start a conversation
602
Views
0
Helpful
3
Replies

Adding entries to crypto acl causes tunnel to crash

cory.fedorak
Level 1
Level 1

‎08-19-2010 08:36 AM

Hi Guys,

I'm wondering if anyone else has had similar issues.

We have a working IPSEC tunnel, we go to add additional crypto acl entries to said tunnel (on both sides) and the tunnel crashes and won't come back up.  Now we remove the new entries and the tunnel still won't come back up.  On further inspection of the crytpo acl's on both sides, they do not match(and didn't when the tunnel was working).  How did the tunnel work before, why is it not working now?

To fix the issue we made both sides of the crypto acl match and then had to remove the crypto map for that tunnel and reapply it, then the tunnel came back.

Anyone know why the tunnel even after making both sides match would still not come up without removing the crypto map and reapplying it?

Thanks

Cory

Labels:
0 Helpful
3 Replies 3

athukral
Level 1
Level 1

‎08-20-2010 05:44 PM

Hello Cory,


Thanks for writing in!


Well are you using Pix firewall with 6.X code? Pix with 6.X code has couple of  known software defects, wherein if we make any changes to crytpo access list, its always recommnended to remove crypto map from the interface and then make change to crypto access list. Incase you directly make change to access list, then Pix hangs and only option is to reload the Pix.


Well its always recommended to have the exact mirror image of crypto access list on both ends.



Thanks


Ankur

0 Helpful

cory.fedorak
Level 1
Level 1
In response to athukral

‎08-23-2010 07:25 AM

Hey Ankur,

Thanks for the reply, I believe both sides are using Cisco 6500 Chassis and on our side we also have a SPA card.  Yes mirroring ACL's are always a good idea, I'm just a little confused about why the tunnel wouldn't work for the ACE's that did match, it should have only effected the ACE's that did not match.

Cheers

0 Helpful

athukral
Level 1
Level 1
In response to cory.fedorak

‎08-23-2010 05:56 PM

Thanks for the reply!!


Well it gives issues for non matching ACE, because, it tries to initiate spi generation/negotiation based on that ACE, and once the it finds that far end does not have an ACE that it should have, it ends with Phase 2 QSM  error


Hope this explains !


And regarding your issue, if  you could provide me the exact logs/debugs, then i will be able to provide you with the reason that why your tunnel failed.


Was ACL the culprit or something else.


Appreciate your time.



Regards


Ankur

0 Helpful
Customers Also Viewed These Support Documents