Cisco Bug: CSCul77195 - "set security-association level per-host" not effective ASR1k
Feb 01, 2017
- Cisco IOS
Known Affected Releases
Symptom: ------------------------------------------------------------ usoh-nroyaltonchoke-rtr#Show version Cisco IOS Software, IOS-XE Software (X86_64_LINUX_IOSD-UNIVERSALK9-M), Version 15.2(4)S4, RELEASE SOFTWARE (fc1) Technical Support: http://www.cisco.com/techsupport Copyright (c) 1986-2013 by Cisco Systems, Inc. Compiled Sun 01-Sep-13 11:03 by mcpre IOS XE Version: 03.07.04.S Cisco IOS-XE software, Copyright (c) 2005-2013 by cisco Systems, Inc. All rights reserved. Certain components of Cisco IOS-XE software are licensed under the GNU General Public License ("GPL") Version 2.0. The software code licensed under GPL Version 2.0 is free software that comes with ABSOLUTELY NO WARRANTY. You can redistribute and/or modify such GPL code under the terms of GPL Version 2.0. For more details, see the documentation or "License Notice" file accompanying the IOS-XE software, or the applicable URL provided on the flyer accompanying the IOS-XE software. ROM: IOS-XE ROMMON usoh-nroyaltonchoke-rtr uptime is 2 days, 22 hours, 22 minutes Uptime for this control processor is 2 days, 22 hours, 23 minutes System returned to ROM by reload at 01:43:57 UTC Thu Oct 3 2013 System image file is "bootflash:asr1001-universalk9.03.07.04.S.152-4.S4.bin" Last reload reason: Reload Command This product contains cryptographic features and is subject to United States and local country laws governing import, export, transfer and use. Delivery of Cisco cryptographic products does not imply third-party authority to import, export, distribute or use encryption. Importers, exporters, distributors and users are responsible for compliance with U.S. and local country laws. By using this product you agree to comply with applicable laws and regulations. If you are unable to comply with U.S. and local laws, return this product immediately. A summary of U.S. laws governing Cisco cryptographic products may be found at: http://www.cisco.com/wwl/export/crypto/tool/stqrg.html If you require further assistance please contact us by sending email to email@example.com. License Level: adventerprise License Type: Permanent Next reload license Level: adventerprise cisco ASR1001 (1RU) processor with 3818130K/6147K bytes of memory. Processor board ID SSI173406SD 4 Gigabit Ethernet interfaces 32768K bytes of non-volatile configuration memory. 8388608K bytes of physical memory. 7741439K bytes of eUSB flash at bootflash:. Configuration register is 0x2102 we have site-to-site vpn between an ASR1k and 7200 , Found During Migration . Case1: We have "set security-association level per-host" under crypto map on either side and we have matched interesting traffic with an access-list using host keyword ,due to which ASR1k can negotiate the SA but it couldn't encrypt the packet . Case2: We changed the interesting traffic with an access-list using wildcard mask by keeping "set security-association level per-host" under crypto map on either side , ASR1k can negotiate the SA and also it can encrypt the packet . Conditions: ----------------------------------------------------------------- Match interesting traffic with an access-list using host keyword along with "set security-association level per-host" ASR1k Negotiate SA but it can't encrypt packet . Match interesting traffic with an access-list using wildcard along with "set security-association level per-host" ASR1k Negotiate SA also it can encrypt packet .
Bug details contain sensitive information and therefore require a Cisco.com account to be viewed.
Bug Details Include
- Full Description (including symptoms, conditions and workarounds)
- Known Fixed Releases
- Related Community Discussions
- Number of Related Support Cases