daubman at gmail
Sep 12, 2007, 6:10 AM
Views: 269
Permalink
|
|
Troubling IPSec issues with a 6500
|
|
Greetings,
I have a client that's run into some trouble with IPSec-over-GRE and
I'm trying to help debug. The problem sounds very familiar, however I
haven't come up with a solution yet in my searches...
The basic setup is:
7206(GigE)<------>(GigE)6500
The IPSec (preshared) setup is pretty much straight out of a Cisco
IPSec-over-GRE example with one (possibly key) difference:
On the 6500, pretty much all traffic in/out is using single GigE
interface with multiple trunked Vlans.
The tunnel comes up and all show/debug output looks good. The 7200
works bi-directionally, however, the 6500 seems to be only encrypting
in a single direction for external traffic.
Traffic originating ON the 6500 (ping) gets encrypted and sent over
the tunnel, and all received IPSec traffic is decrypted, however,
traffic that comes in on one of the other vlans, is supposed to get
Tunneled and then encrypted and then sent out a different Vlan, only
gets GRE encapsulated and is skipping the IPSec crypto.
What I REALLY can't figure out is that the crypto map match access
list counters ARE incrementing for this traffic that is not being
encrypted...
The 6500 (Sup720-3a MSFC3) only has 64Mb flash, so it is running the
latest possible image that it can: 12.2.18-SXD7b
...there is no FWSM in the picture.
Any ideas?
Interestingly enough, the same (exact, VLANs and all) setup is working
between the 7200 and a 2600, with the only major difference I can see
being the hardware platform and the IOS release.
TIA,
~Aaron
_______________________________________________
cisco-nsp mailing list cisco-nsp[at]puck.nether.net
https://puck.nether.net/mailman/listinfo/cisco-nsp
archive at http://puck.nether.net/pipermail/cisco-nsp/
|
Troubling IPSec issues with a 6500
