09-27-2012 11:57 AM - edited 02-21-2020 06:22 PM
Hello all,
I cam across something when i was troubleshooting IPSEC VPN connections between two Cisco IAD 2431s. Here is a snapshot of config on one of the routers:
crypto map vpnmap 6 ipsec-isakmp
description To_Grovecity
set peer X.X.X.X
set transform-set vpnset
match address To_Grovecity
crypto map vpnmap 10 ipsec-isakmp
description To_Datacenter
set peer Y.Y.Y.Y
set transform-set vpnset
match address To_Datacenter
qos pre-classify
ip access-list extended To_Grovecity
permit ip 10.24.96.0 0.0.0.255 10.80.103.0 0.0.0.255
ip access-list extended To_Datacenter
permit ip 10.24.96.0 0.0.0.255 10.11.12.0 0.0.0.255
permit ip 10.24.96.0 0.0.0.255 172.31.46.0 0.0.0.255
permit ip 10.24.96.0 0.0.0.255 10.80.102.0 0.0.0.255
permit ip 10.24.96.0 0.0.0.255 10.80.103.0 0.0.0.255
permit ip 10.24.96.0 0.0.0.255 10.24.69.0 0.0.0.255
permit ip 10.24.96.0 0.0.0.255 192.168.15.0 0.0.0.255
From this router's LAN interface (10.24.96.1), I couldn't ping the router's LAN interface corresponding to the Grovecitypeer which is x.x.x.x. The LAN interface at Grovecity is 10.80.103.3
As soon as I removed the statement " permit ip 10.24.96.0 0.0.0.255 10.80.103.0 0.0.0.255" which was unnecessarily present in the To_Datacenter ACL, things started working.
What confuses me is since the crypto map vpnmap for Grovecity is at sequence 6 and is before the vpnmap for Datacenter, the statement "
permit ip 10.24.96.0 0.0.0.255 10.80.103.0 0.0.0.255" under the To-Datacenter ACL would never be considered and it doesn't matter if that staement is present in the ACL or not but apparently it does. HAs anyone faced this before or am I missng something?
Thanks
Mukundh
09-27-2012 01:11 PM
Hello Mukundh,,
I hope you didnt have that unnecessary statment in the destination device right ?
regards
Harish
09-27-2012 01:42 PM
Hi Harish,
By destination device, do u mean Y.Y.Y.Y? If so, I am not usre as I don't manage that device. But that device has been offline for the past few days. It was recently removed out of production.
09-27-2012 01:46 PM
yea.. because i have read somewhere that the cisco recomended way is to do exaclt mirrored ACL in VPN peers. so just wondering when that unnecessary command was there in your configuration , it was not exact mirror of the other end ACL which would have caused the issue
regards
Harish.
09-27-2012 02:13 PM
Hi,
In order to successfully build a SA, the L2L peers need to exchange the same exact ACE (mirror of each other) along with other parameters like the transform-set, PFS group (if configured)...
Otherwise Phase II does not come up.
Thanks.
Portu.
Please rate any helpful posts.
Find answers to your questions by entering keywords or phrases in the Search bar above. New here? Use these resources to familiarize yourself with the community: