Cisco Support Community
Showing results for 
Search instead for 
Did you mean: 

Welcome to Cisco Support Community. We would love to have your feedback.

For an introduction to the new site, click here. And see here for current known issues.


ip local policy weirdness

I have a policy enabled, and it works for ping and isakmp packets. It does not work for ESP packets. Is this a known issue?

I am looking to have crypto map configs working on 2 interfaces, with each having an internet connection. My ip local policy is to use PBR to have the reply traffic from the secondary connection go out that interface, versus the default route).

Hall of Fame Super Silver

Re: ip local policy weirdness


I am not aware of an issue with this. I wonder if there is an order of operations aspect to be considered.

Perhaps you could share some details of the config?




Re: ip local policy weirdness

interface GigabitEthernet0/0.1

description $FW_INSIDE$

encapsulation dot1Q 9

ip address x.y.z.1

ip access-group 103 in

ip nat inside

ip inspect XXXX in

ip virtual-reassembly

ip policy route-map mailmojo

interface GigabitEthernet0/1.1

description $FW_OUTSIDE$

encapsulation dot1Q 7

ip address a.b.c.d

ip access-group 105 in

ip nat outside

ip inspect XXXX out

ip virtual-reassembly

no cdp enable

crypto map SDM_CMAP_1

route-map localPBR permit 10

match ip address acl_localPBR

set interface GigabitEthernet0/1.1

set ip default next-hop a.b.c.e

route-map mailmojo permit 10

match ip address 125

set ip default next-hop a.b.c.e


route-map mailmojo permit 20

match ip address secondaryVPN

set interface GigabitEthernet0/1.1

set ip default next-hop a.b.c.e


sh access-list acl_localPBR

Extended IP access list acl_localPBR

5 permit esp host a.b.c.d any

10 permit ip host a.b.c.d any (1112 matches)

20 deny ip any any (432007 matches)

sh access-list 125

Extended IP access list 125

10 deny ip host host (3908 matches)

20 deny tcp host any eq 135

30 permit ip host any (7613579 matches)

sh access-list secondaryVPN

Extended IP access list secondaryVPN

10 permit ip x.y.t.0 (154756 matches)

20 permit ip x.y.r.0

30 permit ip x.y.s.0 (18 matches)

40 permit ip x.y.u.0 (3 matches)

50 deny ip any any (7057282 matches)

A.b.c.d is the IP address of the subint for the secondary ISP connection. A.b.c.e is the default gateway for that connection.

I have played with darn near every permuation of route-map commands to try to get this to work, but the ESP packets go out g0/1.2. I put 5 permit ESP.... in the list as a testing tool. I have g0/1 spanning to a box running wireshark, and I see the isakmp packets going to the right MAC addr, but not the ESP packets, even though the source/destination IP addresses are the same.

ACL 125 is to PBR some traffic for a statically natted service to an IP on the secondary ISP connection.

ACL seconaadryVPN is to PBR the traffic to the vpn ip pool out the g0/1.1 interface to which those vpn clients are connected.

CreatePlease login to create content