[c-nsp] Troubling IPSec issues with a 6500
Aaron Daubman
daubman at gmail.com
Wed Sep 12 09:10:52 EDT 2007
Greetings,
I have a client that's run into some trouble with IPSec-over-GRE and
I'm trying to help debug. The problem sounds very familiar, however I
haven't come up with a solution yet in my searches...
The basic setup is:
7206(GigE)<------>(GigE)6500
The IPSec (preshared) setup is pretty much straight out of a Cisco
IPSec-over-GRE example with one (possibly key) difference:
On the 6500, pretty much all traffic in/out is using single GigE
interface with multiple trunked Vlans.
The tunnel comes up and all show/debug output looks good. The 7200
works bi-directionally, however, the 6500 seems to be only encrypting
in a single direction for external traffic.
Traffic originating ON the 6500 (ping) gets encrypted and sent over
the tunnel, and all received IPSec traffic is decrypted, however,
traffic that comes in on one of the other vlans, is supposed to get
Tunneled and then encrypted and then sent out a different Vlan, only
gets GRE encapsulated and is skipping the IPSec crypto.
What I REALLY can't figure out is that the crypto map match access
list counters ARE incrementing for this traffic that is not being
encrypted...
The 6500 (Sup720-3a MSFC3) only has 64Mb flash, so it is running the
latest possible image that it can: 12.2.18-SXD7b
...there is no FWSM in the picture.
Any ideas?
Interestingly enough, the same (exact, VLANs and all) setup is working
between the 7200 and a 2600, with the only major difference I can see
being the hardware platform and the IOS release.
TIA,
~Aaron
More information about the cisco-nsp
mailing list