GETVPN -Exception-ACL Issue

Waruna Wijewardena · ‎12-04-2010

Hi ,

Network setup is having 500+ branch offices & HO ( with ASR1004) routers connceted via MPLS L3 IP/VPN.

Configured GETVPN group & need to migrate production nodes slowly.

Initially in order to enable encryption for both directions, exception-acl ( deny statements) is written for 500+ branches.

HO router & one remote branch are configured for GETVPN group.

Issue:

When encryption policy is pushed from KS to GMs , traffic from HO to Non-GM branches are disturbed. It seems that exception-acl does not work or any other resource issue or control traffic block ???

All routing protocols & control traffic being allowed uncrypted by the KS group policy..

Any guess what could be going around here ???

regards,

Waruna

Lei Tian · ‎12-04-2010

Hi Waruna,

The global policy on KS can only contain max 100 rules, that includes deny and permit. If the number of rules you need exceeds the limit, you might need to consider apply local policy on HO to not encrypt traffic to Non-GM branches.

Regards,

Lei Tian

Waruna Wijewardena · ‎12-05-2010

Hi Lie,

Thanks for the feedback,

I was aware of this limitation in global policy by KS.

My KS policy don't have more than 30 entries.. But in my local HO exception acl, I have 500+ deny entries !!! ( Till I migrate each branch into GETVPN group ...)

Is there any limitation in exception local ACL ?

regards,

Waruna

Lei Tian · ‎12-05-2010

Hi Waruna,

I am not aware of any limitation of local deny acls, but I found couple bugs related to complex acl in GET: CSCsu38169 and CSCsw85293.

If you are using fail-closed acl, you might also want to check the fail-closed acl has all the permits reflect the download and local denies.

Regards,

Lei Tian