[c-nsp] Crypto tunnel issue or undocumented feature?
Jonas Jonsson
jonas.jonsson at netent.com
Fri Oct 2 07:20:07 EDT 2009
I have a small question regarding the behavior that I have noticed on a
crypto tunnel between a Cisco router and a ASA. The tunnel is a vanilla
tunnel with crypto map etc on the router side and the corresponding on
the ASA. Tunnel is set up ok and all is fine until you do a forbidden
action
towards the ASA, i.e. icmp is not allowed in the tunnel. Then the
following
event happens:
001326: *Sep 28 13:49:32.171 UTC: ISAKMP:(1237):deleting SA reason
"Recevied fatal informational" state (R) QM_IDLE (peer
19.17.18.22)
001327: *Sep 28 13:49:32.171 UTC: ISAKMP:(1237):deleting node 2127279974
error FALSE reason "Informational (in) state 1"
001328: *Sep 28 13:49:32.171 UTC: ISAKMP:(1237):Input =
IKE_MESG_FROM_PEER, IKE_INFO_NOTIFY
001329: *Sep 28 13:49:32.171 UTC: ISAKMP:(1237):Old State =
IKE_P1_COMPLETE New State = IKE_P1_COMPLETE
It was a bit puzzling until after looking at the remote config we
allowed icmp and the tunnel now stays up. Hence is this an undocumented
feature or
a bug?
/// Best regards, Jonas
--------------------------------------------------------
Jonas Jonsson
Net Entertainment NE AB, Birger Jarlsgatan 57 B, S-113 56 Stockholm, Sweden
M: +46707609811, T: +46707609811, F: +46 8 556 967 07
jonas.jonsson at netent.com, www.netent.com
Better Games
More information about the cisco-nsp
mailing list