Buy or Renew
Buy or Renew
Duo Security forums now LIVE! Get answers to all your Duo Security questions. Learn more
cancel
Turn on suggestions
Auto-suggest helps you quickly narrow down your search results by suggesting possible matches as you type.
Showing results for 
Search instead for 
Did you mean: 
cancel
Start a conversation
575
Views
0
Helpful
2
Replies

Site to Site VPN traffic filter (ACL)

deyster94
Level 5
Level 5

‎08-01-2012 12:16 PM

I had to edit an ACL on an active S2S VPN today because traffic was being denied from a host onsite to a host on the remote site (port 449).  After I made the change, we tried to make the connection again, but it was still denied.  Do we need to tear down the S2S vpn for the change to the ACL to take effect? 

Also, what if we just wait for the connection to rekey itself?  Will it work after that?

TIA.

Dan

Labels:
0 Helpful
2 Replies 2

Javier Portuguez
Level 9
Level 9

‎08-01-2012 09:58 PM

Hi Dan,

Please use the "crypto ipsec sa peer xxxx.xxxx.xxxx.xxxx" command to renegotiate Phase II, it is the recommended action.

Let me know.

Please rate any post you find useful.

0 Helpful

johnlloyd_13
Level 9
Level 9

‎08-01-2012 11:14 PM

Hi Dan,

Kindly use the 'clear crypto sa peer a.b.c.d' command. Make sure you've got 'mirrored' crypto ACL on both ends of the VPN. Also, make use of the 'debug crypto' commands to dig deeper.

Sent from Cisco Technical Support iPhone App

0 Helpful
Getting Started

Find answers to your questions by entering keywords or phrases in the Search bar above. New here? Use these resources to familiarize yourself with the community:

Customers Also Viewed These Support Documents