Preview Tool

Cisco Bug: CSCtc06097 - VPNSM: %ACE-3-TRANSERR for mulitple deny ACEs in a crypto ACL

Last Modified

Jan 31, 2017

Products (1)

  • Cisco Catalyst 6000 Series Switches

Known Affected Releases


Description (partial)


Traffic goes in clear if more than 4 deny entries are cnfigured in a crypto access-list.

When configuring certain combinations of denys & permits, the number of tcam entries needed is very large, exceeding the maximum limitation. Consequently, an warning message is displayed to notify the user that it failed the tcam programming. 

This condition can be reached with any number of deny acls although it's more likely as the number of denys increases.

An example of the warning message is shown below:

*Sep 18 12:47:39.930%VPN-SM-3-ACEI0TCAMFAILE: slot 5/1 SpdSpInstall: cannot install Sp 6: TmInsertSp failed
*Sep 18 12:47:39.930%VPN-SM-3-ACEI29SPDFAILE: slot 5/1 PcpCmeInstallNext: cannot install Sp 6 with SpdMan
*Sep 18 12:47:39.802: Cryptomap map1:1 is not downloaded properly. Its policy will not be enforced.
Bug details contain sensitive information and therefore require a account to be viewed.

Bug Details Include

  • Full Description (including symptoms, conditions and workarounds)
  • Status
  • Severity
  • Known Fixed Releases
  • Related Community Discussions
  • Number of Related Support Cases
Bug information is viewable for customers and partners who have a service contract. Registered users can view up to 200 bugs per month without a service contract.