cancel
Showing results for 
Search instead for 
Did you mean: 
cancel
520
Views
0
Helpful
5
Replies

will L2L VPN Drop if i modify the ACL

ahmad82pkn
Level 2
Level 2

hi i have site to site IPSEC VPN established between 2 Sites.

it has 200+ ACL Lines in it.

My question is if i add another ACL statement , will it cause tunnel to bounce? just want to make sure i dont make tunnel down in peak production time.

Regards,

M

5 Replies 5

andrew.prince
Level 10
Level 10

No it should not reset the tunnel - however it's always good practice to perform production changes out of core buisness hours under a Change Control.

yes, thats what has been done, but IPSEC SA not coming up for newly added ACL. and showing send errors in output, so i thought to remove and re add the ACL and see if that helps:-s

sh crypto ipsec sa | b 113.230.74

   remote ident (addr/mask/prot/port): (113.230.74.0/255.255.255.0/0/0)

   current_peer 194.46.82.71 port 500

     PERMIT, flags={origin_is_acl,}

    #pkts encaps: 0, #pkts encrypt: 0, #pkts digest: 0

    #pkts decaps: 0, #pkts decrypt: 0, #pkts verify: 0

    #pkts compressed: 0, #pkts decompressed: 0

    #pkts not compressed: 0, #pkts compr. failed: 0

    #pkts not decompressed: 0, #pkts decompress failed: 0

    #send errors 180, #recv errors 0

     local crypto endpt.: 184.100.24.12, remote crypto endpt.: 194.46.82.71

     path mtu 1500, ip mtu 1500

     current outbound spi: 0x0(0)

     inbound esp sas:

     inbound ah sas:

     inbound pcp sas:

     outbound esp sas:

     outbound ah sas:

Well the issue could be 1 of three things or even all!

1) Make sure you new IP subnets in the ACL are part of your "no-nat" acl

2) The Devices know there the new "IP subnets" are i.e "Inside" or "Outside"

3) The changes must happen on both ends of the VPN tunnel.

The other thing is "sometimes" I have noticed that if changes are made, the new information will not "take" until the IPSEC SA peer is cleared and allowed to re-form with the new info!

HTH.

Point 1 & 2 i am sure are correct.

Point 3, Remote Party confirms they have made the changes, i have a call with them tonight to discuss.

Point 4, mean tearing down the VPN right? thats not an option atm.

Even i cant do a debug right now, debug ipsec SA definitely going to take down the router

OK - double check the config....then check it again.

Getting Started

Find answers to your questions by entering keywords or phrases in the Search bar above. New here? Use these resources to familiarize yourself with the community: