01-11-2011 03:08 AM
Hi people,
I have a leased line and a crypto map that encrypts all tcp and udp traffic
However on the remote router I get the following error
.Jan 11 12:49:42.628: %CRYPTO-4-RECVD_PKT_NOT_IPSEC: Rec'd packet not an IPSEC p
acket. (ip) vrf/dest_addr= /B.B.B.B, src_addr= A.A.A.A, prot= 17
where B.B.B.B is the netflow server on remote LAN and A.A.A.A is the LAN (fast0/0) of the 2811 router which is one of the crypto end points
my crypto access-list on both routers is
Extended IP access list acl_ipsec
access-list acl_ipsec deny eigrp any any
access-list acl_ipsec deny icmp any any
access-list acl_ipsec permit tcp any any
access-list acl_ipsec permit udp any any
Any ideas why netflow packets do not get encrypted?
01-11-2011 03:30 AM
Hi,
Are you sure that the crypto ACLs are reflective on both ends of the tunnel?
It also warns against using any any statements in your crypto ACL.
I suggest making it more specific based on the actual subnets that you want to encrypt.
See below a useful reference:
https://supportforums.cisco.com/docs/DOC-3047
Please rate all posts that are helpful.
01-11-2011 05:34 AM
access-list is the same on both routers and thus if you notice it's reflective
it's not a routing problem
the acl is only used once
why would they "any any" be a problem?
I have a lots of networks from the hub side and creating too many entries in an access list would create a ton of sa's. So it would not be a good idea.
personally i think it's a bug.
any other suggestions?
Find answers to your questions by entering keywords or phrases in the Search bar above. New here? Use these resources to familiarize yourself with the community: