12-09-2011 06:18 AM
hi i have site to site IPSEC VPN established between 2 Sites.
it has 200+ ACL Lines in it.
My question is if i add another ACL statement , will it cause tunnel to bounce? just want to make sure i dont make tunnel down in peak production time.
Regards,
M
12-09-2011 06:27 AM
No it should not reset the tunnel - however it's always good practice to perform production changes out of core buisness hours under a Change Control.
12-09-2011 06:44 AM
yes, thats what has been done, but IPSEC SA not coming up for newly added ACL. and showing send errors in output, so i thought to remove and re add the ACL and see if that helps:-s
sh crypto ipsec sa | b 113.230.74
remote ident (addr/mask/prot/port): (113.230.74.0/255.255.255.0/0/0)
current_peer 194.46.82.71 port 500
PERMIT, flags={origin_is_acl,}
#pkts encaps: 0, #pkts encrypt: 0, #pkts digest: 0
#pkts decaps: 0, #pkts decrypt: 0, #pkts verify: 0
#pkts compressed: 0, #pkts decompressed: 0
#pkts not compressed: 0, #pkts compr. failed: 0
#pkts not decompressed: 0, #pkts decompress failed: 0
#send errors 180, #recv errors 0
local crypto endpt.: 184.100.24.12, remote crypto endpt.: 194.46.82.71
path mtu 1500, ip mtu 1500
current outbound spi: 0x0(0)
inbound esp sas:
inbound ah sas:
inbound pcp sas:
outbound esp sas:
outbound ah sas:
12-09-2011 06:52 AM
Well the issue could be 1 of three things or even all!
1) Make sure you new IP subnets in the ACL are part of your "no-nat" acl
2) The Devices know there the new "IP subnets" are i.e "Inside" or "Outside"
3) The changes must happen on both ends of the VPN tunnel.
The other thing is "sometimes" I have noticed that if changes are made, the new information will not "take" until the IPSEC SA peer is cleared and allowed to re-form with the new info!
HTH.
12-09-2011 07:02 AM
Point 1 & 2 i am sure are correct.
Point 3, Remote Party confirms they have made the changes, i have a call with them tonight to discuss.
Point 4, mean tearing down the VPN right? thats not an option atm.
Even i cant do a debug right now, debug ipsec SA definitely going to take down the router
12-09-2011 07:31 AM
OK - double check the config....then check it again.
Find answers to your questions by entering keywords or phrases in the Search bar above. New here? Use these resources to familiarize yourself with the community: