Guest

Preview Tool

Cisco Bug: CSCut14355 - GETVPN - IOS-XE using SW-TCAM - Deny policy classification incorrect

Last Modified

Jan 28, 2017

Products (1)

  • Cisco IOS

Known Affected Releases

15.4(3)S2.2

Description (partial)

Symptom:
The Group-Member is noticed to exhibit erratic behavior with respect to deny policies:
On ISR-4300:
- Outbound traffic will hit the deny-policy and go out in clear-text, however
- While dealing with the return clear-text traffic, the deny policies may get ignored, and the router may start dropping it with "IPSEC-3-RECVD_PKT_NOT_IPSEC"

ASR1k:
A) When the KS sends a policy as follows [As long as SW TCAM is being used due to Huge-Deny ACL entries]:
deny tcp any eq 22 any
deny tcp any any eq 22
permit ip 192.168.1.0 0.0.0.255 192.168.2.0 0.0.0.255

- Here, the ASR sends all TCP traffic [ex: SSH as well as HTTP] unencrypted, as though it is disregarding the port

B) when the Policy config is such that: 

KS pushes:
permit ip 192.168.1.0 0.0.0.255 192.168.2.0 0.0.0.255

Local deny policy is:
deny tcp any eq 22 any
deny tcp any any eq 22

- Here, ASR does not look at the local deny policy at all, and sends all the traffic [matching the permit policy] encrypted.

Conditions:
IOS-XE [ISR 4300 or ASR1k] on XE 3.13 configured as GetVPN Group-Member, where either SW-TCAM is used by default for the platform or the deny policy is so huge that HW-TCAM cannot accommodate the policy, hence failing back to SW-TCAM.
Bug details contain sensitive information and therefore require a Cisco.com account to be viewed.

Bug Details Include

  • Full Description (including symptoms, conditions and workarounds)
  • Status
  • Severity
  • Known Fixed Releases
  • Related Community Discussions
  • Number of Related Support Cases
Bug information is viewable for customers and partners who have a service contract. Registered users can view up to 200 bugs per month without a service contract.