Buy or Renew
Buy or Renew
Cisco + Splunk: It’s a new day for your data. Learn more.
 
cancel
Turn on suggestions
Auto-suggest helps you quickly narrow down your search results by suggesting possible matches as you type.
Showing results for 
Search instead for 
Did you mean: 
cancel
Start a conversation
738
Views
0
Helpful
3
Replies

Changes from 15.0 - 15.1 (IP CEF? Zone Based Firewall?)

Tim Butters
Level 1
Level 1

‎07-24-2012 08:18 AM - edited ‎03-04-2019 05:03 PM

Hi Guys,

Currently have a 2911 in place running as a hub for a hub and spoke DVTI IPSec setup.

It has a zone based firewall (with the DVTI's being in their own zone etc...) and everything works as it should. The two zone pairs between the safe zone and vpn zone are both inspect on egress and ingress.

I have now purchased a second 2911 to act as another hub - I've set up everything exactly the same as Hub1 the only difference is this router is software version 15.2 whilst Hub1 is 15.0.

Traffic does not want to flow from Hub1 to Hub2, whilst it works for Hub2 to Hub1 - It has an inspection rule on the firewall so for a short time, a client on Hub1 can talk to the client on Hub2 whilst the inspect firewall is open but that is it.

I've tried all sorts of different configures. I then turned IP CEF off on Hub2 (15.2) and then low and behold, traffic flew across...

Does anyone know of any major changes that have happened in these software releases? Anyone have any experience of this? I will be hitting the Cisco docs tomorrow but i'm hoping someone has run into this before.

Many Thanks

Tim

Labels:
0 Helpful
3 Replies 3

Tim Butters
Level 1
Level 1

‎07-24-2012 01:54 PM

I've spent the last few hours trialling different IOS versions.

My config works all the way up to 15.0(1)M7, any further up and it stops working unless I change the inspect rules to pass rules or issue No Ip CEF.

I have opened a TAC to get further insight as I cannot find anything in the docs..

Sent from Cisco Technical Support iPhone App

0 Helpful

olly.lawrence
Level 1
Level 1
In response to Tim Butters

‎08-27-2012 01:48 PM

Hi Tim,

I am also having similare issue with a DMVPN setup where the zone based firewall just drops packtes like doesn't seem to track them correclty having seem similare isseus with gre and 15.1 i diabled CEF out right and all was good ?

I don't supose you fixed it / had a good result from your TAC ?

Cheers

-Olly

0 Helpful

Tim Butters
Level 1
Level 1

‎08-27-2012 02:04 PM

Hi Olly,

I've been intouch with TAC who have linked this with a bug affecting other features. It is reported as being fixed and is currently in testing and set to be released in the next IOS. I am tracking the bug for further info:

Bug # CSCtw45480

Sent from Cisco Technical Support iPhone App

0 Helpful
Customers Also Viewed These Support Documents
Review Cisco Networking products for a $25 gift card