Cisco Support Community
cancel
Showing results for 
Search instead for 
Did you mean: 
Announcements

Welcome to Cisco Support Community. We would love to have your feedback.

For an introduction to the new site, click here. And see here for current known issues.

New Member

IPSEC access-list question

Hi,

I have an access-list with the following line...

permit ip host 65.119.114.3 62.140.152.0 0.0.0.31

and its crypto ipsec sa shows up as this, with no packets encaps or decaps.

protected vrf:

local ident (addr/mask/prot/port): (65.119.114.3/255.255.255.255/0/0)

remote ident (addr/mask/prot/port): (62.140.152.0/255.255.255.224/0/0)

current_peer: 62.140.138.249:500

PERMIT, flags={origin_is_acl,}

#pkts encaps: 0, #pkts encrypt: 0, #pkts digest: 0

#pkts decaps: 0, #pkts decrypt: 0, #pkts verify: 0

#send errors 0, #recv errors

___________________

I also show a crypto ipsec sa which doesn't correspond directly to my accesslist. This is the second time I've seen this... is there any part of IPsec where the access-list are shared with the other end? i didn't think so, but I'm not sure how we got this, if not.

protected vrf:

local ident (addr/mask/prot/port): (65.119.114.3/255.255.255.255/0/0)

remote ident (addr/mask/prot/port): (62.140.152.0/255.255.255.252/0/0)

current_peer: 62.140.138.249:500

PERMIT, flags={}

#pkts encaps: 0, #pkts encrypt: 0, #pkts digest: 0

#pkts decaps: 22, #pkts decrypt: 22, #pkts verify: 22

#send errors 0, #recv errors 0

Thanks!!

1 REPLY
Cisco Employee

Re: IPSEC access-list question

Can you post the configuration from this device.

Regards,

Arul

100
Views
0
Helpful
1
Replies
CreatePlease login to create content