Warning message

  • Cisco Support Forums is in Read Only mode while the site is being migrated.
  • Cisco Support Forums is in Read Only mode while the site is being migrated.

Changes from 15.0 - 15.1 (IP CEF? Zone Based Firewall?)

Unanswered Question
Jul 24th, 2012
User Badges:

Hi Guys,

Currently have a 2911 in place running as a hub for a hub and spoke DVTI IPSec setup.

It has a zone based firewall (with the DVTI's being in their own zone etc...) and everything works as it should. The two zone pairs between the safe zone and vpn zone are both inspect on egress and ingress.

I have now purchased a second 2911 to act as another hub - I've set up everything exactly the same as Hub1 the only difference is this router is software version 15.2 whilst Hub1 is 15.0.

Traffic does not want to flow from Hub1 to Hub2, whilst it works for Hub2 to Hub1 - It has an inspection rule on the firewall so for a short time, a client on Hub1 can talk to the client on Hub2 whilst the inspect firewall is open but that is it.

I've tried all sorts of different configures. I then turned IP CEF off on Hub2 (15.2) and then low and behold, traffic flew across...

Does anyone know of any major changes that have happened in these software releases? Anyone have any experience of this? I will be hitting the Cisco docs tomorrow but i'm hoping someone has run into this before.

Many Thanks


  • 1
  • 2
  • 3
  • 4
  • 5
Overall Rating: 0 (0 ratings)
Tim Butters Tue, 07/24/2012 - 13:54
User Badges:

I've spent the last few hours trialling different IOS versions.

My config works all the way up to 15.0(1)M7, any further up and it stops working unless I change the inspect rules to pass rules or issue No Ip CEF.

I have opened a TAC to get further insight as I cannot find anything in the docs..

Sent from Cisco Technical Support iPhone App

olly.lawrence Mon, 08/27/2012 - 13:48
User Badges:

Hi Tim,

I am also having similare issue with a DMVPN setup where the zone based firewall just drops packtes like doesn't seem to track them correclty having seem similare isseus with gre and 15.1 i diabled CEF out right and all was good ?

I don't supose you fixed it / had a good result from your TAC ?



Tim Butters Mon, 08/27/2012 - 14:04
User Badges:

Hi Olly,

I've been intouch with TAC who have linked this with a bug affecting other features. It is reported as being fixed and is currently in testing and set to be released in the next IOS. I am tracking the bug for further info:

Bug # CSCtw45480

Sent from Cisco Technical Support iPhone App


This Discussion