Cisco Support Community
Showing results for 
Search instead for 
Did you mean: 

Welcome to Cisco Support Community. We would love to have your feedback.

For an introduction to the new site, click here. And see here for current known issues.

New Member

Ipsec passthrough support for CSS

I had windows domain controllers where in their ipsec tunnels were not working. One of the domain controllers had CSS on the path and i suspect CSS is dropping these packets. But in another data centre i could see similar tunnel working through CSS. Just confused with it.

  • Does CSS support ipsec passthrough (AH/ESP) ?
  • Is there anywhere were we can see these drops are logged?

Only one difference what i could find is the working CSS doesnt have any ACLs applied to the ingress interface. The non working one has an ACL on the interface, but allowing any tcp/udp and even i have put any any there. Could anyone pls help me here.



Everyone's tags (3)
New Member

Ipsec passthrough support for CSS

Hi Shobith,

I too have this problem, will be good if we get an answer!!


New Member

Ipsec passthrough support for CSS

Got the answer with some research and fixed it,  Cisco CSS supports ipsec passthrough but without the ACL feature enabled. In my load balancer, ACL was enabled globally and access list was applied to the interface.  Eventhough the access list was permit any/any, it was blocking ipsec traffic.  So i had to disable the ACL globally on CSS by using 'acl disable' command and then remove the access list from the interface.  But bear in mind, if you try to remove the access list from the interface alone without disabling it globally, the interface will start blocking all traffic going through that interface.  Found below document useful.

CreatePlease login to create content