Solved

Why doesn't the VPN encryption domain ACL show any hits?

Posted on 2011-03-10
7
1,457 Views
Last Modified: 2012-05-11
I am testing a lan-to-lan VPN configuration using brand-new Cisco ASR 1001 routers. The remote VPN device is an older PIX device and the tunnel appears to be working great. However, I'm seeing an anomaly which I cannot figure out. Here is the encryption domain for the tunnel in question:

ip access-list extended CustomerVPN
 permit ip 64.186.176.216 0.0.0.7 168.201.0.0 0.0.255.255
 permit ip 64.186.176.224 0.0.0.7 168.201.0.0 0.0.255.255
 permit ip 64.186.176.216 0.0.0.7 168.246.0.0 0.0.253.255
 permit ip 64.186.176.224 0.0.0.7 168.246.0.0 0.0.253.255

I am originating traffic from host IP 64.186.176.226/29 destined for host 168.201.0.10/16 and I am able to successfully send ICMP & TCP connections.

However, I never see any hits on the ACL shown above?

Any ideas?
0
Comment
Question by:smartinez1984
[X]
Welcome to Experts Exchange

Add your voice to the tech community where 5M+ people just like you are talking about what matters.

  • Help others & share knowledge
  • Earn cash & points
  • Learn & ask questions
  • 5
  • 2
7 Comments
 
LVL 18

Expert Comment

by:jmeggers
ID: 35102439
I've seen the same thing with ACLs used for QoS.  I suspect that it has something to do with how the ACL is applied (ip access-group versus being used in another command).  What you want to do is look at the output from show crypto ipsec sa and you should see encryption and decryption if it's working properly.
0
 

Author Comment

by:smartinez1984
ID: 35102609
Yea, I confirmed proper flows through the SA reports and it's all looking good. This just threw me for a loop and, to be honest, is a bit concerning because a pair of these 1001 routers will be replacing a pair of older Cisco 2851 routers this coming Sunday. Just wanted to make sure there wasn't something I was missing...

Perhaps a TAC case is in order?

Thanks!

-Samson
0
 
LVL 18

Expert Comment

by:jmeggers
ID: 35102683
You could open a TAC case, I suspect they'll tell you what you're seeing is normal.  As long as the SAs are in place and traffic is being encrypted, i wouldn't worry about it.  As I said, I've seen the same thing with QoS classification ACLs.
0
What is SQL Server and how does it work?

The purpose of this paper is to provide you background on SQL Server. It’s your self-study guide for learning fundamentals. It includes both the history of SQL and its technical basics. Concepts and definitions will form the solid foundation of your future DBA expertise.

 

Author Comment

by:smartinez1984
ID: 35113193
I've created a TAC case - the engineer can't quite figure out what's going on so ... the troubleshooting continues. In the meantime, I will be installing this tomorrow night so we'll see if they work properly. The active will terminate 7 remote VPNs - here's hoping it goes well. :)
0
 

Accepted Solution

by:
smartinez1984 earned 0 total points
ID: 35131329
Cisco's response:

After research we have found a bug  CSCsx21652  (ACL/IPsecEncryption counters not working)

http://tools.cisco.com/Support/BugToolKit/search/getBugDetails.do?method=fetchBugDetails&bugId=CSCsx21652

Workaround:
'show crypto ipsec sa' and 'show crypto session detail' will display counters properly.
'show platform software ipsec F0 encryption-processor statistics' will also display low-level statistics about the crypto engine,

0
 

Author Comment

by:smartinez1984
ID: 35833244
Ok.
0
 

Author Closing Comment

by:smartinez1984
ID: 35872700
Not sure how to submit this since, technically, it wasn't a solution. Thanks to all for y'alls feedback.
0

Featured Post

Free NetCrunch network monitor licenses!

Only on Experts-Exchange: Sign-up for a free-trial and we'll send you your permanent license!

Here is what you get: 30 Nodes | Unlimited Sensors | No Time Restrictions | Absolutely FREE!

Act now. This offer ends July 14, 2017.

Question has a verified solution.

If you are experiencing a similar issue, please ask a related question

If you have an ASA5510 then this sort of thing would be better handled with a CSC Module, however on an ASA5505 thats not an option, and if you want to throw in a quick solution to stop your staff going to facebook during work time, then this is the…
Let’s face it: one of the reasons your organization chose a SaaS solution (whether Microsoft Dynamics 365, Netsuite or SAP) is that it is subscription-based. The upkeep is done. Or so you think.
Both in life and business – not all partnerships are created equal. As the demand for cloud services increases, so do the number of self-proclaimed cloud partners. Asking the right questions up front in the partnership, will enable both parties …
As a trusted technology advisor to your customers you are likely getting the daily question of, ‘should I put this in the cloud?’ As customer demands for cloud services increases, companies will see a shift from traditional buying patterns to new…

688 members asked questions and received personalized solutions in the past 7 days.

Join the community of 500,000 technology professionals and ask your questions.

Join & Ask a Question