Adding entries to crypto acl causes tunnel to crash

Unanswered Question
Aug 19th, 2010

Hi Guys,

I'm wondering if anyone else has had similar issues.

We have a working IPSEC tunnel, we go to add additional crypto acl entries to said tunnel (on both sides) and the tunnel crashes and won't come back up.  Now we remove the new entries and the tunnel still won't come back up.  On further inspection of the crytpo acl's on both sides, they do not match(and didn't when the tunnel was working).  How did the tunnel work before, why is it not working now?

To fix the issue we made both sides of the crypto acl match and then had to remove the crypto map for that tunnel and reapply it, then the tunnel came back.

Anyone know why the tunnel even after making both sides match would still not come up without removing the crypto map and reapplying it?



I have this problem too.
0 votes
  • 1
  • 2
  • 3
  • 4
  • 5
Overall Rating: 0 (0 ratings)
athukral Fri, 08/20/2010 - 17:44

Hello Cory,

Thanks for writing in!

Well are you using Pix firewall with 6.X code? Pix with 6.X code has couple of  known software defects, wherein if we make any changes to crytpo access list, its always recommnended to remove crypto map from the interface and then make change to crypto access list. Incase you directly make change to access list, then Pix hangs and only option is to reload the Pix.

Well its always recommended to have the exact mirror image of crypto access list on both ends.



cory.fedorak Mon, 08/23/2010 - 07:25

Hey Ankur,

Thanks for the reply, I believe both sides are using Cisco 6500 Chassis and on our side we also have a SPA card.  Yes mirroring ACL's are always a good idea, I'm just a little confused about why the tunnel wouldn't work for the ACE's that did match, it should have only effected the ACE's that did not match.


athukral Mon, 08/23/2010 - 17:56

Thanks for the reply!!

Well it gives issues for non matching ACE, because, it tries to initiate spi generation/negotiation based on that ACE, and once the it finds that far end does not have an ACE that it should have, it ends with Phase 2 QSM  error

Hope this explains !

And regarding your issue, if  you could provide me the exact logs/debugs, then i will be able to provide you with the reason that why your tunnel failed.

Was ACL the culprit or something else.

Appreciate your time.




This Discussion