10-02-2009 04:20 AM
Hello everyone, I've come across a strange issue with a VPN running between 2 2600 routers. This affects only one of the two routers.
Basically, there is an intermittant failure of ISKMP negotiation. An ACL is filtering the 'outside' interface, though with all required ISAKMP/IPSec traffic etc. allowed. However, if I remove the ACL when the ISAKMP is failing everything starts to work. I wondered if anyone else had seen someting like this or know its likely cause?
Thanks!
10-02-2009 05:05 AM
Are you using 2600's with hardware encryption modules?
10-02-2009 05:07 AM
No, this is all in software. The VPN is very low throughput. I should also add that this is using VRF-aware IPSec, and the ACL is applied inbound on the front-door interface which is in the global routing table. Thanks!
10-02-2009 05:52 AM
The other question I have is whether you have logging enabled on any of your ACL entries. Here is a URL that describes the performance impact of logging ACL entries.
http://www.cisco.com/web/about/security/intelligence/acl-logging.html
10-02-2009 06:05 AM
Hi thanks for the response. The ACL is as follows;
ip access-list extended OUTSIDE_ACL_IN
permit ip host x.x.x.x host y.y.y.y
permit esp host x.x.x.x host y.y.y.y
permit udp host x.x.x.x eq isakmp host y.y.y.y eq isakmp
permit udp host x.x.x.x eq non500-isakmp host y.y.y.y eq non500-isakmp
No logging, the bizarre thing is that the ACL counters still increment though the ISAKMP debugs don't suggest that the ISAKMP processes are seeing them (deleting SA reason "Death by retransmission P1").
Discover and save your favorite ideas. Come back to expert answers, step-by-step guides, recent topics, and more.
New here? Get started with these tips. How to use Community New member guide