Just as an informal poll - does anyone else use the key word "any" in their crypto access lists? I know that the cisco docs state that "Cisco discourages the use of the any keyword to specify source or destination addresses.", but I've used it in the past to encrypt all outbound traffic from a site and haven't encountered any problems.
I just recently deployed a series of 1760's (running 12.3.9) and configured with the crypto ACL
permit ip x.x.x.0 255.255.255.0 any
Periodically, a 1760 will fail the renegotiate and its logs will fill up with the message
%CRYPTO-4-IKMP_BAD_MESSAGE: IKE message from x.x.x.x failed its sanity check or is malformed.
Issuing a "clear crypto sa" will clear the problem. TAC is indicating that the problem is due to the use of the keyword "any" in the crypto ACL. Has anyone else experienced problems with the use of any in a crypto ACL?
tia,
-john