cancel
Showing results for 
Search instead for 
Did you mean: 
cancel
787
Views
0
Helpful
0
Replies

Behavior of ASA after Crypto ACL has been changed

11de784a
Level 1
Level 1

Hello, I want some clarifications about ASA behavior, because recently I found this peculiarity on ASR 1001:

We need to add the following note to Security for VPNs with IPsec Configuration Guide, Cisco IOS XE Release 3S (Cisco ASR 1000)-->Configuring Security for VPNs with IPsec-->Crypto Access Lists section:

With crypto map configured on ASR1k, if the crypto map acl is changed, all ipsec traffic stops forwarding until tunnels rekey. You must clear crypto session to get crypto traffic to forward.

It’s from conversation with Cisco TAC engineer. After that, I’ve looked to ASA.

This information I’ve got from Cisco ASA Series VPN CLI Configuration Guide Software Version 9.1:

If you delete the only element in an ACL, the ASA also removes the associated crypto map.

If you modify an ACL currently referenced by one or more crypto maps, use the crypto map interface command to reinitialize the run-time SA database.

And this from, crypto map interface section of Cisco ASA Series Command Reference Software Version 9.1:

The ASA lets you change crypto map, dynamic map, and IPsec settings on the fly. If you do so, the ASA brings down only the connections affected by the change. If you change an existing access list associated with a crypto map, specifically by deleting an entry within the access-list, the result is that only the associated connection is brought down. Connections based on other entries in the access list are not affected.

So, is traffic in other entries affected and you need to reinitialize the crypto map after you have changed an ACL on ASA?

Thank you.

0 Replies 0