Solved

Why doesn't the VPN encryption domain ACL show any hits?

Posted on 2011-03-10
7
1,447 Views
Last Modified: 2012-05-11
I am testing a lan-to-lan VPN configuration using brand-new Cisco ASR 1001 routers. The remote VPN device is an older PIX device and the tunnel appears to be working great. However, I'm seeing an anomaly which I cannot figure out. Here is the encryption domain for the tunnel in question:

ip access-list extended CustomerVPN
 permit ip 64.186.176.216 0.0.0.7 168.201.0.0 0.0.255.255
 permit ip 64.186.176.224 0.0.0.7 168.201.0.0 0.0.255.255
 permit ip 64.186.176.216 0.0.0.7 168.246.0.0 0.0.253.255
 permit ip 64.186.176.224 0.0.0.7 168.246.0.0 0.0.253.255

I am originating traffic from host IP 64.186.176.226/29 destined for host 168.201.0.10/16 and I am able to successfully send ICMP & TCP connections.

However, I never see any hits on the ACL shown above?

Any ideas?
0
Comment
Question by:smartinez1984
[X]
Welcome to Experts Exchange

Add your voice to the tech community where 5M+ people just like you are talking about what matters.

  • Help others & share knowledge
  • Earn cash & points
  • Learn & ask questions
  • 5
  • 2
7 Comments
 
LVL 18

Expert Comment

by:jmeggers
ID: 35102439
I've seen the same thing with ACLs used for QoS.  I suspect that it has something to do with how the ACL is applied (ip access-group versus being used in another command).  What you want to do is look at the output from show crypto ipsec sa and you should see encryption and decryption if it's working properly.
0
 

Author Comment

by:smartinez1984
ID: 35102609
Yea, I confirmed proper flows through the SA reports and it's all looking good. This just threw me for a loop and, to be honest, is a bit concerning because a pair of these 1001 routers will be replacing a pair of older Cisco 2851 routers this coming Sunday. Just wanted to make sure there wasn't something I was missing...

Perhaps a TAC case is in order?

Thanks!

-Samson
0
 
LVL 18

Expert Comment

by:jmeggers
ID: 35102683
You could open a TAC case, I suspect they'll tell you what you're seeing is normal.  As long as the SAs are in place and traffic is being encrypted, i wouldn't worry about it.  As I said, I've seen the same thing with QoS classification ACLs.
0
Efficient way to get backups off site to Azure

This user guide provides instructions on how to deploy and configure both a StoneFly Scale Out NAS Enterprise Cloud Drive virtual machine and Veeam Cloud Connect in the Microsoft Azure Cloud.

 

Author Comment

by:smartinez1984
ID: 35113193
I've created a TAC case - the engineer can't quite figure out what's going on so ... the troubleshooting continues. In the meantime, I will be installing this tomorrow night so we'll see if they work properly. The active will terminate 7 remote VPNs - here's hoping it goes well. :)
0
 

Accepted Solution

by:
smartinez1984 earned 0 total points
ID: 35131329
Cisco's response:

After research we have found a bug  CSCsx21652  (ACL/IPsecEncryption counters not working)

http://tools.cisco.com/Support/BugToolKit/search/getBugDetails.do?method=fetchBugDetails&bugId=CSCsx21652

Workaround:
'show crypto ipsec sa' and 'show crypto session detail' will display counters properly.
'show platform software ipsec F0 encryption-processor statistics' will also display low-level statistics about the crypto engine,

0
 

Author Comment

by:smartinez1984
ID: 35833244
Ok.
0
 

Author Closing Comment

by:smartinez1984
ID: 35872700
Not sure how to submit this since, technically, it wasn't a solution. Thanks to all for y'alls feedback.
0

Featured Post

Free Tool: Site Down Detector

Helpful to verify reports of your own downtime, or to double check a downed website you are trying to access.

One of a set of tools we are providing to everyone as a way of saying thank you for being a part of the community.

Question has a verified solution.

If you are experiencing a similar issue, please ask a related question

Suggested Solutions

Title # Comments Views Activity
Hit router interface limit 7 75
Cisco ASA blocks some https sites. 27 75
BGP DUAL ISP with IP SLA 10 63
CISCO wireless controller & AP 2 58
If you have an ASA5510 then this sort of thing would be better handled with a CSC Module, however on an ASA5505 thats not an option, and if you want to throw in a quick solution to stop your staff going to facebook during work time, then this is the…
Quality of Service (QoS) options are nearly endless when it comes to networks today. This article is merely one example of how it can be handled in a hub-n-spoke design using a 3-tier configuration.
Both in life and business – not all partnerships are created equal. As the demand for cloud services increases, so do the number of self-proclaimed cloud partners. Asking the right questions up front in the partnership, will enable both parties …
As a trusted technology advisor to your customers you are likely getting the daily question of, ‘should I put this in the cloud?’ As customer demands for cloud services increases, companies will see a shift from traditional buying patterns to new…

731 members asked questions and received personalized solutions in the past 7 days.

Join the community of 500,000 technology professionals and ask your questions.

Join & Ask a Question