Welcome to Experts Exchange

Add your voice to the tech community where 5M+ people, just like you, are talking about what matters.

  • Help others & share knowledge
  • Earn cash & points
  • Learn & ask questions
Solved

Why doesn't the VPN encryption domain ACL show any hits?

Posted on 2011-03-10
7
1,431 Views
Last Modified: 2012-05-11
I am testing a lan-to-lan VPN configuration using brand-new Cisco ASR 1001 routers. The remote VPN device is an older PIX device and the tunnel appears to be working great. However, I'm seeing an anomaly which I cannot figure out. Here is the encryption domain for the tunnel in question:

ip access-list extended CustomerVPN
 permit ip 64.186.176.216 0.0.0.7 168.201.0.0 0.0.255.255
 permit ip 64.186.176.224 0.0.0.7 168.201.0.0 0.0.255.255
 permit ip 64.186.176.216 0.0.0.7 168.246.0.0 0.0.253.255
 permit ip 64.186.176.224 0.0.0.7 168.246.0.0 0.0.253.255

I am originating traffic from host IP 64.186.176.226/29 destined for host 168.201.0.10/16 and I am able to successfully send ICMP & TCP connections.

However, I never see any hits on the ACL shown above?

Any ideas?
0
Comment
Question by:smartinez1984
  • 5
  • 2
7 Comments
 
LVL 18

Expert Comment

by:jmeggers
ID: 35102439
I've seen the same thing with ACLs used for QoS.  I suspect that it has something to do with how the ACL is applied (ip access-group versus being used in another command).  What you want to do is look at the output from show crypto ipsec sa and you should see encryption and decryption if it's working properly.
0
 

Author Comment

by:smartinez1984
ID: 35102609
Yea, I confirmed proper flows through the SA reports and it's all looking good. This just threw me for a loop and, to be honest, is a bit concerning because a pair of these 1001 routers will be replacing a pair of older Cisco 2851 routers this coming Sunday. Just wanted to make sure there wasn't something I was missing...

Perhaps a TAC case is in order?

Thanks!

-Samson
0
 
LVL 18

Expert Comment

by:jmeggers
ID: 35102683
You could open a TAC case, I suspect they'll tell you what you're seeing is normal.  As long as the SAs are in place and traffic is being encrypted, i wouldn't worry about it.  As I said, I've seen the same thing with QoS classification ACLs.
0
What is SQL Server and how does it work?

The purpose of this paper is to provide you background on SQL Server. It’s your self-study guide for learning fundamentals. It includes both the history of SQL and its technical basics. Concepts and definitions will form the solid foundation of your future DBA expertise.

 

Author Comment

by:smartinez1984
ID: 35113193
I've created a TAC case - the engineer can't quite figure out what's going on so ... the troubleshooting continues. In the meantime, I will be installing this tomorrow night so we'll see if they work properly. The active will terminate 7 remote VPNs - here's hoping it goes well. :)
0
 

Accepted Solution

by:
smartinez1984 earned 0 total points
ID: 35131329
Cisco's response:

After research we have found a bug  CSCsx21652  (ACL/IPsecEncryption counters not working)

http://tools.cisco.com/Support/BugToolKit/search/getBugDetails.do?method=fetchBugDetails&bugId=CSCsx21652

Workaround:
'show crypto ipsec sa' and 'show crypto session detail' will display counters properly.
'show platform software ipsec F0 encryption-processor statistics' will also display low-level statistics about the crypto engine,

0
 

Author Comment

by:smartinez1984
ID: 35833244
Ok.
0
 

Author Closing Comment

by:smartinez1984
ID: 35872700
Not sure how to submit this since, technically, it wasn't a solution. Thanks to all for y'alls feedback.
0

Featured Post

What is SQL Server and how does it work?

The purpose of this paper is to provide you background on SQL Server. It’s your self-study guide for learning fundamentals. It includes both the history of SQL and its technical basics. Concepts and definitions will form the solid foundation of your future DBA expertise.

Question has a verified solution.

If you are experiencing a similar issue, please ask a related question

Suggested Solutions

Title # Comments Views Activity
Connecting a New Subnet to Network 4 43
Cisco Maximum Prefixes Allowed for Customer 5 33
Cisco WRVS4400N 11 37
BGP DUAL ISP with IP SLA 10 17
Overview The Cisco PIX 501, PIX 506e, ASA 5505 and ASA 5510 (most if not all of this information will be relevant to the PIX 515e but I do not have a working configuration handy to verify the validity) are primarily used within small to medium busi…
From Cisco ASA version 8.3, the Network Address Translation (NAT) configuration has been completely redesigned and it may be helpful to have the syntax configuration for both at a glance. You may as well want to read official Cisco published AS…
Both in life and business – not all partnerships are created equal. As the demand for cloud services increases, so do the number of self-proclaimed cloud partners. Asking the right questions up front in the partnership, will enable both parties …
As a trusted technology advisor to your customers you are likely getting the daily question of, ‘should I put this in the cloud?’ As customer demands for cloud services increases, companies will see a shift from traditional buying patterns to new…

839 members asked questions and received personalized solutions in the past 7 days.

Join the community of 500,000 technology professionals and ask your questions.

Join & Ask a Question