Buy or Renew
Buy or Renew
Duo Security forums now LIVE! Get answers to all your Duo Security questions. Learn more
cancel
Turn on suggestions
Auto-suggest helps you quickly narrow down your search results by suggesting possible matches as you type.
Showing results for 
Search instead for 
Did you mean: 
cancel
Start a conversation
960
Views
0
Helpful
1
Replies

VPN mismatch in ACL

Michal Valach
Level 1
Level 1

‎11-03-2014 09:41 AM

Hello I have VPN tunel between cisco router and ASA. I have 5 ACL entries host to host and are exaclty same on both sides. VPN is working fine. After that I have added subnet on cisco router and customer added host to host on other side and we have mismatch. I have tested ( sendig traffic-standard MQ requests) and this caused whole VPN outage even those 5 entries were affected.

Is is standard behavior?  Can ACL mismatch caused whole VPN down? Or it shoul only affect IPs which are not matching?

Labels:
0 Helpful
1 Reply 1

sganpat
Level 1
Level 1

‎11-04-2014 03:31 PM

Yes, this is normal behaviour. This is a Phase 2 mismatch. The ACLs must be a mirror match at both sides to allow the IPSec SAs to be created.

0 Helpful
Customers Also Viewed These Support Documents