cancel
Showing results for 
Search instead for 
Did you mean: 
cancel
415
Views
0
Helpful
4
Replies

Intermittant Issue with ISAKMP and ACLs on 2600 routers

Hello everyone, I've come across a strange issue with a VPN running between 2 2600 routers. This affects only one of the two routers.

Basically, there is an intermittant failure of ISKMP negotiation. An ACL is filtering the 'outside' interface, though with all required ISAKMP/IPSec traffic etc. allowed. However, if I remove the ACL when the ISAKMP is failing everything starts to work. I wondered if anyone else had seen someting like this or know its likely cause?

Thanks!

4 Replies 4

slmansfield
Level 4
Level 4

Are you using 2600's with hardware encryption modules?

No, this is all in software. The VPN is very low throughput. I should also add that this is using VRF-aware IPSec, and the ACL is applied inbound on the front-door interface which is in the global routing table. Thanks!

The other question I have is whether you have logging enabled on any of your ACL entries. Here is a URL that describes the performance impact of logging ACL entries.

http://www.cisco.com/web/about/security/intelligence/acl-logging.html

Hi thanks for the response. The ACL is as follows;

ip access-list extended OUTSIDE_ACL_IN

permit ip host x.x.x.x host y.y.y.y

permit esp host x.x.x.x host y.y.y.y

permit udp host x.x.x.x eq isakmp host y.y.y.y eq isakmp

permit udp host x.x.x.x eq non500-isakmp host y.y.y.y eq non500-isakmp

No logging, the bizarre thing is that the ACL counters still increment though the ISAKMP debugs don't suggest that the ISAKMP processes are seeing them (deleting SA reason "Death by retransmission P1").

Getting Started

Find answers to your questions by entering keywords or phrases in the Search bar above. New here? Use these resources to familiarize yourself with the community: