Guest

Preview Tool

Cisco Bug: CSCuq17550 - ISRG2-GETVPN-IPv6 Egress IPv6 Interface ACL checked before encryption

Last Modified

Sep 14, 2019

Products (80)

  • Cisco IOS
  • Cisco 886VA-CUBE Integrated Services Router
  • Cisco 881SRSTW Integrated Services Router
  • Cisco 2951 Integrated Services Router
  • Cisco 888W Integrated Services Router
  • Cisco C892FSP Integrated Services Router
  • Cisco 819 Hardened Integrated Services Router
  • Cisco C897VA Integrated Services Router
  • Cisco 861W Integrated Services Router
  • Cisco VG204XM Analog Voice Gateway
View all products in Bug Search Tool Login Required

Known Affected Releases

15.3(3)M3

Description (partial)

Symptom:
Based on legacy IOS order of operations, IPSec Encryption comes before Output ACL check (if encrypted).

However, for IPv6 GetVPN Data Path, if an egress IPv6 traffic filter is applied to the same interface as the GDOI Crypto Map, the egress packets that are to be encrypted are checked against the egress IPv6 ACL before encryption, even though the respective packets should be already marked for encryption and not
checked against the respective ACL till after encryption.

Conditions:
ISR G2 E and non-E series, OS 15M, GETVPN IPv6 Data Path, use of egress IPv6 Traffic Filter
Bug details contain sensitive information and therefore require a Cisco.com account to be viewed.

Bug Details Include

  • Full Description (including symptoms, conditions and workarounds)
  • Status
  • Severity
  • Known Fixed Releases
  • Related Community Discussions
  • Number of Related Support Cases
Bug information is viewable for customers and partners who have a service contract. Registered users can view up to 200 bugs per month without a service contract.