[c-nsp] Crypto tunnel issue or undocumented feature?

Jonas Jonsson jonas.jonsson at netent.com
Fri Oct 2 07:20:07 EDT 2009


I have a small question regarding the behavior that I have noticed on a 
crypto tunnel between a Cisco router and a ASA. The tunnel is a vanilla
tunnel with crypto map etc on the router side and the corresponding on
the ASA. Tunnel is set up ok and all is fine until you do a forbidden
action 
towards the ASA, i.e. icmp is not allowed in the tunnel. Then the
following 
event happens:

001326: *Sep 28 13:49:32.171 UTC: ISAKMP:(1237):deleting SA reason
"Recevied fatal informational" state (R) QM_IDLE       (peer
19.17.18.22)
001327: *Sep 28 13:49:32.171 UTC: ISAKMP:(1237):deleting node 2127279974
error FALSE reason "Informational (in) state 1"
001328: *Sep 28 13:49:32.171 UTC: ISAKMP:(1237):Input =
IKE_MESG_FROM_PEER, IKE_INFO_NOTIFY
001329: *Sep 28 13:49:32.171 UTC: ISAKMP:(1237):Old State =
IKE_P1_COMPLETE  New State = IKE_P1_COMPLETE

It was a bit puzzling until after looking at the remote config we
allowed icmp and the tunnel now stays up. Hence is this an undocumented
feature or
a bug?

/// Best regards, Jonas



--------------------------------------------------------


Jonas Jonsson


Net Entertainment NE AB, Birger Jarlsgatan 57 B, S-113 56 Stockholm, Sweden
M: +46707609811, T: +46707609811, F: +46 8 556 967 07
jonas.jonsson at netent.com, www.netent.com

Better Games


More information about the cisco-nsp mailing list