Buy or Renew
Buy or Renew
Duo Security forums now LIVE! Get answers to all your Duo Security questions. Learn more
cancel
Turn on suggestions
Auto-suggest helps you quickly narrow down your search results by suggesting possible matches as you type.
Showing results for 
Search instead for 
Did you mean: 
cancel
Start a conversation
605
Views
0
Helpful
1
Replies

Use of keyword "any" in crypto access lists

jduban
Level 1
Level 1

‎09-19-2004 05:43 PM

Just as an informal poll - does anyone else use the key word "any" in their crypto access lists? I know that the cisco docs state that "Cisco discourages the use of the any keyword to specify source or destination addresses.", but I've used it in the past to encrypt all outbound traffic from a site and haven't encountered any problems.

I just recently deployed a series of 1760's (running 12.3.9) and configured with the crypto ACL

permit ip x.x.x.0 255.255.255.0 any

Periodically, a 1760 will fail the renegotiate and its logs will fill up with the message

%CRYPTO-4-IKMP_BAD_MESSAGE: IKE message from x.x.x.x failed its sanity check or is malformed.

Issuing a "clear crypto sa" will clear the problem. TAC is indicating that the problem is due to the use of the keyword "any" in the crypto ACL. Has anyone else experienced problems with the use of any in a crypto ACL?

tia,

-john

Labels:
0 Helpful
1 Reply 1

jduban
Level 1
Level 1

‎09-19-2004 05:46 PM

I missed typed the mask on the ACL. I didn't catch the mistake until after I posted the message.

0 Helpful
Getting Started

Find answers to your questions by entering keywords or phrases in the Search bar above. New here? Use these resources to familiarize yourself with the community:

Customers Also Viewed These Support Documents