Want to win a PS4? Go Premium and enter to win our High-Tech Treats giveaway. Enter to Win

x
?
Solved

Why doesn't the VPN encryption domain ACL show any hits?

Posted on 2011-03-10
7
Medium Priority
?
1,513 Views
Last Modified: 2012-05-11
I am testing a lan-to-lan VPN configuration using brand-new Cisco ASR 1001 routers. The remote VPN device is an older PIX device and the tunnel appears to be working great. However, I'm seeing an anomaly which I cannot figure out. Here is the encryption domain for the tunnel in question:

ip access-list extended CustomerVPN
 permit ip 64.186.176.216 0.0.0.7 168.201.0.0 0.0.255.255
 permit ip 64.186.176.224 0.0.0.7 168.201.0.0 0.0.255.255
 permit ip 64.186.176.216 0.0.0.7 168.246.0.0 0.0.253.255
 permit ip 64.186.176.224 0.0.0.7 168.246.0.0 0.0.253.255

I am originating traffic from host IP 64.186.176.226/29 destined for host 168.201.0.10/16 and I am able to successfully send ICMP & TCP connections.

However, I never see any hits on the ACL shown above?

Any ideas?
0
Comment
Question by:smartinez1984
[X]
Welcome to Experts Exchange

Add your voice to the tech community where 5M+ people just like you are talking about what matters.

  • Help others & share knowledge
  • Earn cash & points
  • Learn & ask questions
  • 5
  • 2
7 Comments
 
LVL 18

Expert Comment

by:jmeggers
ID: 35102439
I've seen the same thing with ACLs used for QoS.  I suspect that it has something to do with how the ACL is applied (ip access-group versus being used in another command).  What you want to do is look at the output from show crypto ipsec sa and you should see encryption and decryption if it's working properly.
0
 

Author Comment

by:smartinez1984
ID: 35102609
Yea, I confirmed proper flows through the SA reports and it's all looking good. This just threw me for a loop and, to be honest, is a bit concerning because a pair of these 1001 routers will be replacing a pair of older Cisco 2851 routers this coming Sunday. Just wanted to make sure there wasn't something I was missing...

Perhaps a TAC case is in order?

Thanks!

-Samson
0
 
LVL 18

Expert Comment

by:jmeggers
ID: 35102683
You could open a TAC case, I suspect they'll tell you what you're seeing is normal.  As long as the SAs are in place and traffic is being encrypted, i wouldn't worry about it.  As I said, I've seen the same thing with QoS classification ACLs.
0
Fill in the form and get your FREE NFR key NOW!

Veeam® is happy to provide a FREE NFR server license to certified engineers, trainers, and bloggers.  It allows for the non‑production use of Veeam Agent for Microsoft Windows. This license is valid for five workstations and two servers.

 

Author Comment

by:smartinez1984
ID: 35113193
I've created a TAC case - the engineer can't quite figure out what's going on so ... the troubleshooting continues. In the meantime, I will be installing this tomorrow night so we'll see if they work properly. The active will terminate 7 remote VPNs - here's hoping it goes well. :)
0
 

Accepted Solution

by:
smartinez1984 earned 0 total points
ID: 35131329
Cisco's response:

After research we have found a bug  CSCsx21652  (ACL/IPsecEncryption counters not working)

http://tools.cisco.com/Support/BugToolKit/search/getBugDetails.do?method=fetchBugDetails&bugId=CSCsx21652

Workaround:
'show crypto ipsec sa' and 'show crypto session detail' will display counters properly.
'show platform software ipsec F0 encryption-processor statistics' will also display low-level statistics about the crypto engine,

0
 

Author Comment

by:smartinez1984
ID: 35833244
Ok.
0
 

Author Closing Comment

by:smartinez1984
ID: 35872700
Not sure how to submit this since, technically, it wasn't a solution. Thanks to all for y'alls feedback.
0

Featured Post

Get your Disaster Recovery as a Service basics

Disaster Recovery as a Service is one go-to solution that revolutionizes DR planning. Implementing DRaaS could be an efficient process, easily accessible to non-DR experts. Learn about monitoring, testing, executing failovers and failbacks to ensure a "healthy" DR environment.

Question has a verified solution.

If you are experiencing a similar issue, please ask a related question

Many of the companies I’ve worked with have embraced cloud solutions due to their desire to “get out of the datacenter business.” The ability to achieve better security and availability, and the speed with which they are able to deploy, is far grea…
During and after that shift to cloud, one area that still poses a struggle for many organizations is what to do with their department file shares.
As a trusted technology advisor to your customers you are likely getting the daily question of, ‘should I put this in the cloud?’ As customer demands for cloud services increases, companies will see a shift from traditional buying patterns to new…
Both in life and business – not all partnerships are created equal. Spend 30 short minutes with us to learn:   • Key questions to ask when considering a partnership to accelerate your business into the cloud • Pitfalls and mistakes other partners…

636 members asked questions and received personalized solutions in the past 7 days.

Join the community of 500,000 technology professionals and ask your questions.

Join & Ask a Question