Cisco Bug: CSCtc06097 - VPNSM: %ACE-3-TRANSERR for mulitple deny ACEs in a crypto ACL
Jan 31, 2017
- Cisco Catalyst 6000 Series Switches
Known Affected Releases
Symptom: Traffic goes in clear if more than 4 deny entries are cnfigured in a crypto access-list. Conditions: When configuring certain combinations of denys & permits, the number of tcam entries needed is very large, exceeding the maximum limitation. Consequently, an warning message is displayed to notify the user that it failed the tcam programming. This condition can be reached with any number of deny acls although it's more likely as the number of denys increases. An example of the warning message is shown below: *Sep 18 12:47:39.930%VPN-SM-3-ACEI0TCAMFAILE: slot 5/1 SpdSpInstall: cannot install Sp 6: TmInsertSp failed *Sep 18 12:47:39.930%VPN-SM-3-ACEI29SPDFAILE: slot 5/1 PcpCmeInstallNext: cannot install Sp 6 with SpdMan *Sep 18 12:47:39.802: Cryptomap map1:1 is not downloaded properly. Its policy will not be enforced.
Bug details contain sensitive information and therefore require a Cisco.com account to be viewed.
Bug Details Include
- Full Description (including symptoms, conditions and workarounds)
- Known Fixed Releases
- Related Community Discussions
- Number of Related Support Cases