Intermittant Issue with ISAKMP and ACLs on 2600 routers

Unanswered Question
Oct 2nd, 2009
User Badges:

Hello everyone, I've come across a strange issue with a VPN running between 2 2600 routers. This affects only one of the two routers.

Basically, there is an intermittant failure of ISKMP negotiation. An ACL is filtering the 'outside' interface, though with all required ISAKMP/IPSec traffic etc. allowed. However, if I remove the ACL when the ISAKMP is failing everything starts to work. I wondered if anyone else had seen someting like this or know its likely cause?


  • 1
  • 2
  • 3
  • 4
  • 5
Overall Rating: 0 (0 ratings)
slmansfield Fri, 10/02/2009 - 05:05
User Badges:
  • Silver, 250 points or more

Are you using 2600's with hardware encryption modules?

egl.davidfarrell Fri, 10/02/2009 - 05:07
User Badges:

No, this is all in software. The VPN is very low throughput. I should also add that this is using VRF-aware IPSec, and the ACL is applied inbound on the front-door interface which is in the global routing table. Thanks!

egl.davidfarrell Fri, 10/02/2009 - 06:05
User Badges:

Hi thanks for the response. The ACL is as follows;

ip access-list extended OUTSIDE_ACL_IN

permit ip host x.x.x.x host y.y.y.y

permit esp host x.x.x.x host y.y.y.y

permit udp host x.x.x.x eq isakmp host y.y.y.y eq isakmp

permit udp host x.x.x.x eq non500-isakmp host y.y.y.y eq non500-isakmp

No logging, the bizarre thing is that the ACL counters still increment though the ISAKMP debugs don't suggest that the ISAKMP processes are seeing them (deleting SA reason "Death by retransmission P1").


This Discussion