Cisco Support Community
cancel
Showing results for 
Search instead for 
Did you mean: 
Announcements

Welcome to Cisco Support Community. We would love to have your feedback.

For an introduction to the new site, click here. And see here for current known issues.

New Member

Ipsec passthrough support for CSS

I had windows domain controllers where in their ipsec tunnels were not working. One of the domain controllers had CSS on the path and i suspect CSS is dropping these packets. But in another data centre i could see similar tunnel working through CSS. Just confused with it.

  • Does CSS support ipsec passthrough (AH/ESP) ?
  • Is there anywhere were we can see these drops are logged?

Only one difference what i could find is the working CSS doesnt have any ACLs applied to the ingress interface. The non working one has an ACL on the interface, but allowing any tcp/udp and even i have put any any there. Could anyone pls help me here.

Thanks,

Shobith

Everyone's tags (3)
2 REPLIES
New Member

Ipsec passthrough support for CSS

Hi Shobith,

I too have this problem, will be good if we get an answer!!

Barry

New Member

Ipsec passthrough support for CSS

Got the answer with some research and fixed it,  Cisco CSS supports ipsec passthrough but without the ACL feature enabled. In my load balancer, ACL was enabled globally and access list was applied to the interface.  Eventhough the access list was permit any/any, it was blocking ipsec traffic.  So i had to disable the ACL globally on CSS by using 'acl disable' command and then remove the access list from the interface.  But bear in mind, if you try to remove the access list from the interface alone without disabling it globally, the interface will start blocking all traffic going through that interface.  Found below document useful.

http://www.cisco.com/en/US/docs/app_ntwk_services/data_center_app_services/css11500series/v7.40/configuration/security/guide/Access.html

511
Views
0
Helpful
2
Replies
CreatePlease login to create content