Preview Tool

Cisco Bug: CSCsz53034 - no ingress flows on tunnel interface if nat done before reaching tunnel

Last Modified

Jan 30, 2017

Products (1)

  • Cisco IOS

Known Affected Releases

12.4(20)T2 12.4(24)T

Description (partial)


1. missing flows in "show ip cache flow"

2.In SX train with WS-IPSEC-2G:  IPSEC session is established between CAT6k and peer (C871) with NAT device in between, and the session on CAT6k times out while the session on peer is up,due to some network event.
In this case the session never recovers between the peers. Peer uses the older session to send traffic and CAT6k drops the same.


1. 'ip flow ingress' configured on a tunnel interface (multipoint gre).

2.In SX train with WS-IPSEC-2G: The crypto map contains a dynamic entry on a 6500 with 3200+ L2L peers. When DPD is triggered from Peer the IKSE session comes up , but the IPSEC session never recovers. On CAT6k the crypto session is in UP-Idle state and on peer in Up_Active state
Bug details contain sensitive information and therefore require a account to be viewed.

Bug Details Include

  • Full Description (including symptoms, conditions and workarounds)
  • Status
  • Severity
  • Known Fixed Releases
  • Related Community Discussions
  • Number of Related Support Cases
Bug information is viewable for customers and partners who have a service contract. Registered users can view up to 200 bugs per month without a service contract.