Core issue

This problem occurs on routers that run code prior to Cisco Release 12.3(8)T.

The routers perform a double Access Control List (ACL) check on the inbound packets; once on the encrypted packet and then again on the just-decrypted clear-text packet. Packets drop during the double-check, if interesting traffic is not defined in the Context Based Access Control (CBAC) configuration.

Resolution

As a workaround, allow the remote VPN subnet through the CBAC configuration.

Refer to Configuring a Router IPsec Tunnel Private-to-Private Network with NAT and a Static for additional help on the configuration

Note: On routers that run code 12.3(8)T or later, the Crypto Access Check on Clear-Text Packets feature removes the clear-text packet check that goes through the IPSec tunnel just prior to encryption, or just after decryption.

Refer to the How ACL Access Checking Worked Prior to This Feature section of Crypto Access Check on Clear-Text Packets for additional help on how ACL checks worked prior to this new feature.

Refer to the Prerequisites for Crypto Access Check on Clear-Text Packets section of Crypto Access Check on Clear-Text Packets for this feature if there is a plan to upgrade the router to version 12.3(8)T.

Problem Type

Troubleshoot software feature

Product Family

Firewall - PIX 500 series

Routers