Solved

Why doesn't the VPN encryption domain ACL show any hits?

Posted on 2011-03-10
7
1,419 Views
Last Modified: 2012-05-11
I am testing a lan-to-lan VPN configuration using brand-new Cisco ASR 1001 routers. The remote VPN device is an older PIX device and the tunnel appears to be working great. However, I'm seeing an anomaly which I cannot figure out. Here is the encryption domain for the tunnel in question:

ip access-list extended CustomerVPN
 permit ip 64.186.176.216 0.0.0.7 168.201.0.0 0.0.255.255
 permit ip 64.186.176.224 0.0.0.7 168.201.0.0 0.0.255.255
 permit ip 64.186.176.216 0.0.0.7 168.246.0.0 0.0.253.255
 permit ip 64.186.176.224 0.0.0.7 168.246.0.0 0.0.253.255

I am originating traffic from host IP 64.186.176.226/29 destined for host 168.201.0.10/16 and I am able to successfully send ICMP & TCP connections.

However, I never see any hits on the ACL shown above?

Any ideas?
0
Comment
Question by:smartinez1984
  • 5
  • 2
7 Comments
 
LVL 18

Expert Comment

by:jmeggers
ID: 35102439
I've seen the same thing with ACLs used for QoS.  I suspect that it has something to do with how the ACL is applied (ip access-group versus being used in another command).  What you want to do is look at the output from show crypto ipsec sa and you should see encryption and decryption if it's working properly.
0
 

Author Comment

by:smartinez1984
ID: 35102609
Yea, I confirmed proper flows through the SA reports and it's all looking good. This just threw me for a loop and, to be honest, is a bit concerning because a pair of these 1001 routers will be replacing a pair of older Cisco 2851 routers this coming Sunday. Just wanted to make sure there wasn't something I was missing...

Perhaps a TAC case is in order?

Thanks!

-Samson
0
 
LVL 18

Expert Comment

by:jmeggers
ID: 35102683
You could open a TAC case, I suspect they'll tell you what you're seeing is normal.  As long as the SAs are in place and traffic is being encrypted, i wouldn't worry about it.  As I said, I've seen the same thing with QoS classification ACLs.
0
PRTG Network Monitor: Intuitive Network Monitoring

Network Monitoring is essential to ensure that computer systems and network devices are running. Use PRTG to monitor LANs, servers, websites, applications and devices, bandwidth, virtual environments, remote systems, IoT, and many more. PRTG is easy to set up & use.

 

Author Comment

by:smartinez1984
ID: 35113193
I've created a TAC case - the engineer can't quite figure out what's going on so ... the troubleshooting continues. In the meantime, I will be installing this tomorrow night so we'll see if they work properly. The active will terminate 7 remote VPNs - here's hoping it goes well. :)
0
 

Accepted Solution

by:
smartinez1984 earned 0 total points
ID: 35131329
Cisco's response:

After research we have found a bug  CSCsx21652  (ACL/IPsecEncryption counters not working)

http://tools.cisco.com/Support/BugToolKit/search/getBugDetails.do?method=fetchBugDetails&bugId=CSCsx21652

Workaround:
'show crypto ipsec sa' and 'show crypto session detail' will display counters properly.
'show platform software ipsec F0 encryption-processor statistics' will also display low-level statistics about the crypto engine,

0
 

Author Comment

by:smartinez1984
ID: 35833244
Ok.
0
 

Author Closing Comment

by:smartinez1984
ID: 35872700
Not sure how to submit this since, technically, it wasn't a solution. Thanks to all for y'alls feedback.
0

Featured Post

Microsoft Certification Exam 74-409

Veeam® is happy to provide the Microsoft community with a study guide prepared by MVP and MCT, Orin Thomas. This guide will take you through each of the exam objectives, helping you to prepare for and pass the examination.

Question has a verified solution.

If you are experiencing a similar issue, please ask a related question

Suggested Solutions

Title # Comments Views Activity
Guest Wi-Fi Marketing solution required 8 81
ASA to pfsense IPSec site to site tunnel 17 87
The purpose of using BGP 33 98
Palo Alto Networks: View Tunnel packet counts? 2 27
There are many useful and sometimes not well documented or forgotten IOS or ASA/PIX commands. See IPE article here , there was also one on PacketU and on Cisco Tips & Tricks. Below are my favorites. I give also a few most often used for Cisco IPS an…
Quality of Service (QoS) options are nearly endless when it comes to networks today. This article is merely one example of how it can be handled in a hub-n-spoke design using a 3-tier configuration.
Both in life and business – not all partnerships are created equal. As the demand for cloud services increases, so do the number of self-proclaimed cloud partners. Asking the right questions up front in the partnership, will enable both parties …
As a trusted technology advisor to your customers you are likely getting the daily question of, ‘should I put this in the cloud?’ As customer demands for cloud services increases, companies will see a shift from traditional buying patterns to new…

815 members asked questions and received personalized solutions in the past 7 days.

Join the community of 500,000 technology professionals and ask your questions.

Join & Ask a Question

Need Help in Real-Time?

Connect with top rated Experts

12 Experts available now in Live!

Get 1:1 Help Now