2821ISR object-group service misfunctioning

Unanswered Question
Sep 1st, 2010
User Badges:

On 2821ISR 12.4.24T3, how can you explain ACE line 20 hit count, this should be 0 hit because matching should be done in ACE line 10
it looks like some isakmp packets are not matched within object-group service OGs_VPN

this is why I added classical ace


ipsecrtr#sh access-list Acl_Outside
Extended IP access list Acl_Outside
    10 permit object-group OGs_VPN any host <outside IP1> (16154927 matches)
    15 permit esp any host <outside IP1>
    20 permit udp any host <outside IP1> eq isakmp (224 matches)
    25 permit udp any host <outside IP1> eq non500-isakmp
    30 permit object-group OGs_VPN any host <outside IP2> (2022900 matches)
    35 permit esp any host <outside IP2>
    40 permit udp any host <outside IP2> eq isakmp (105 matches)
    45 permit udp any host <outside IP2> eq non500-isakmp
    50 permit icmp any any (607 matches)
    60 deny ip any any log (1187 matches)


ipsecrtr#sh  object-group OGs_VPN
Service object group OGs_VPN
Description ** Services VPN **
udp eq isakmp
udp eq non500-isakmp
tcp eq 10000
esp


Needs explanation
Regards
Alain

  • 1
  • 2
  • 3
  • 4
  • 5
Overall Rating: 0 (0 ratings)
Loading.
Panos Kampanakis Wed, 09/01/2010 - 15:06
User Badges:
  • Cisco Employee,

Alain,


Could it be that the 224 counter had increase before you had put in line 10?

Can you clear the coutners and see if that is the case?


PK

falain Thu, 09/02/2010 - 01:13
User Badges:

Hello,

I reboot 2821 every night .

Today, I have these counts since reload:

ipsecrtr#sh access-list Acl_Outside
Extended IP access list Acl_Outside
    10 permit icmp any any (206 matches)
    20 permit object-group OGs_VPN any host (2230673 matches)
    30 permit esp any host
    40 permit udp any host eq isakmp non500-isakmp (98 matches)
    50 permit object-group OGs_VPN any host (285530 matches)
    60 permit esp any host
    70 permit udp any host eq isakmp non500-isakmp (40 matches)
    80 deny ip any any log (206 matches)
ipsecrtr#


regards

Alain

Panos Kampanakis Thu, 09/02/2010 - 09:44
User Badges:
  • Cisco Employee,

OK.

It seems buggy behavior. I would suggest a case with TAC, if it a known bug they will be able to provide the fixe3d version.


I hope it helps,

PK

Actions

This Discussion

Related Content