Cisco Support Community
cancel
Showing results for 
Search instead for 
Did you mean: 
Announcements

Welcome to Cisco Support Community. We would love to have your feedback.

For an introduction to the new site, click here. And see here for current known issues.

New Member

Intermittant Issue with ISAKMP and ACLs on 2600 routers

Hello everyone, I've come across a strange issue with a VPN running between 2 2600 routers. This affects only one of the two routers.

Basically, there is an intermittant failure of ISKMP negotiation. An ACL is filtering the 'outside' interface, though with all required ISAKMP/IPSec traffic etc. allowed. However, if I remove the ACL when the ISAKMP is failing everything starts to work. I wondered if anyone else had seen someting like this or know its likely cause?

Thanks!

4 REPLIES
Silver

Re: Intermittant Issue with ISAKMP and ACLs on 2600 routers

Are you using 2600's with hardware encryption modules?

New Member

Re: Intermittant Issue with ISAKMP and ACLs on 2600 routers

No, this is all in software. The VPN is very low throughput. I should also add that this is using VRF-aware IPSec, and the ACL is applied inbound on the front-door interface which is in the global routing table. Thanks!

Silver

Re: Intermittant Issue with ISAKMP and ACLs on 2600 routers

The other question I have is whether you have logging enabled on any of your ACL entries. Here is a URL that describes the performance impact of logging ACL entries.

http://www.cisco.com/web/about/security/intelligence/acl-logging.html

New Member

Re: Intermittant Issue with ISAKMP and ACLs on 2600 routers

Hi thanks for the response. The ACL is as follows;

ip access-list extended OUTSIDE_ACL_IN

permit ip host x.x.x.x host y.y.y.y

permit esp host x.x.x.x host y.y.y.y

permit udp host x.x.x.x eq isakmp host y.y.y.y eq isakmp

permit udp host x.x.x.x eq non500-isakmp host y.y.y.y eq non500-isakmp

No logging, the bizarre thing is that the ACL counters still increment though the ISAKMP debugs don't suggest that the ISAKMP processes are seeing them (deleting SA reason "Death by retransmission P1").

158
Views
0
Helpful
4
Replies