Guest

Preview Tool

Cisco Bug: CSCul77195 - "set security-association level per-host" not effective ASR1k

Last Modified

Feb 01, 2017

Products (1)

  • Cisco IOS

Known Affected Releases

15.2(4.1.1)

Description (partial)

Symptom:
------------------------------------------------------------

usoh-nroyaltonchoke-rtr#Show version
Cisco IOS Software, IOS-XE Software (X86_64_LINUX_IOSD-UNIVERSALK9-M), Version 15.2(4)S4, RELEASE SOFTWARE (fc1)
Technical Support: http://www.cisco.com/techsupport
Copyright (c) 1986-2013 by Cisco Systems, Inc.
Compiled Sun 01-Sep-13 11:03 by mcpre

IOS XE Version: 03.07.04.S

Cisco IOS-XE software, Copyright (c) 2005-2013 by cisco Systems, Inc.
All rights reserved.  Certain components of Cisco IOS-XE software are
licensed under the GNU General Public License ("GPL") Version 2.0.  The
software code licensed under GPL Version 2.0 is free software that comes
with ABSOLUTELY NO WARRANTY.  You can redistribute and/or modify such
GPL code under the terms of GPL Version 2.0.  For more details, see the
documentation or "License Notice" file accompanying the IOS-XE software,
or the applicable URL provided on the flyer accompanying the IOS-XE
software.


ROM: IOS-XE ROMMON

usoh-nroyaltonchoke-rtr uptime is 2 days, 22 hours, 22 minutes
Uptime for this control processor is 2 days, 22 hours, 23 minutes
System returned to ROM by reload at 01:43:57 UTC Thu Oct 3 2013
System image file is "bootflash:asr1001-universalk9.03.07.04.S.152-4.S4.bin"
Last reload reason: Reload Command



This product contains cryptographic features and is subject to United
States and local country laws governing import, export, transfer and
use. Delivery of Cisco cryptographic products does not imply
third-party authority to import, export, distribute or use encryption.
Importers, exporters, distributors and users are responsible for
compliance with U.S. and local country laws. By using this product you
agree to comply with applicable laws and regulations. If you are unable
to comply with U.S. and local laws, return this product immediately.

A summary of U.S. laws governing Cisco cryptographic products may be found at:
http://www.cisco.com/wwl/export/crypto/tool/stqrg.html

If you require further assistance please contact us by sending email to
export@cisco.com.

License Level: adventerprise
License Type: Permanent
Next reload license Level: adventerprise

cisco ASR1001 (1RU) processor with 3818130K/6147K bytes of memory.
Processor board ID SSI173406SD
4 Gigabit Ethernet interfaces
32768K bytes of non-volatile configuration memory.
8388608K bytes of physical memory.
7741439K bytes of eUSB flash at bootflash:.

Configuration register is 0x2102
we have site-to-site vpn between an ASR1k and 7200 , Found During Migration .

Case1: We have "set security-association level per-host" under crypto map on either side and we have matched interesting traffic with an access-list using host keyword ,due to which ASR1k can negotiate the SA but it couldn't encrypt the packet .

Case2: We changed the interesting traffic with an access-list using wildcard mask by keeping "set security-association level per-host" under crypto map on either side  , ASR1k can negotiate the SA and also it can encrypt the packet .

Conditions:
-----------------------------------------------------------------

Match interesting traffic with an access-list using host keyword along with  "set security-association level per-host" ASR1k Negotiate SA but it can't encrypt packet .

Match interesting traffic with an access-list using wildcard along with  "set security-association level per-host" ASR1k Negotiate SA also it can encrypt packet .
Bug details contain sensitive information and therefore require a Cisco.com account to be viewed.

Bug Details Include

  • Full Description (including symptoms, conditions and workarounds)
  • Status
  • Severity
  • Known Fixed Releases
  • Related Community Discussions
  • Number of Related Support Cases
Bug information is viewable for customers and partners who have a service contract. Registered users can view up to 200 bugs per month without a service contract.