[c-nsp] uRPF and IPSec SPA compatibility issues?

[Justin Shore]

I enabled uRPF on a couple SVIs on our 7600s last week remotely while in 
training.  I was trying to track down some RFC 1918 traffic leaking into 
our network between lectures.  I was going to use an ACL with an 
explicit deny w/ log-input to locate it.  One of the SVIs was for one of 
our SP server farms.  The other was connected to a pair of ASAs for our 
corporate LAN.  Incidentally I never found the source of the traffic and 
was distracted by more important things.  I did not remove the uRPF 
config because it was something I forgot to add during the deployment 
and as an access edge interface it really should be there.  The uRPF 
config is simple:


Late in the week I got a report that an internal admin couldn't access 
devices in our data center via VPN.  VPN connections terminate on the 
same 7600s using IPSec SPAs running in VRF mode.  The DC devices that he 
was trying to access were in a management VRF downstream from the 7600s 
in the DC itself.  All L3 interfaces in the 7600s have been explicitly 
configured with the 'crypto engine slot' command and outside.  Specifically:

crypto engine slot 3/0 outside