Cisco Bug: CSCut14355 - GETVPN - IOS-XE using SW-TCAM - Deny policy classification incorrect
Feb 17, 2018
- Cisco IOS
Known Affected Releases
Symptom: The Group-Member is noticed to exhibit erratic behavior with respect to deny policies: On ISR-4300: - Outbound traffic will hit the deny-policy and go out in clear-text, however - While dealing with the return clear-text traffic, the deny policies may get ignored, and the router may start dropping it with "IPSEC-3-RECVD_PKT_NOT_IPSEC" ASR1k: A) When the KS sends a policy as follows [As long as SW TCAM is being used due to Huge-Deny ACL entries]: deny tcp any eq 22 any deny tcp any any eq 22 permit ip 192.168.1.0 0.0.0.255 192.168.2.0 0.0.0.255 - Here, the ASR sends all TCP traffic [ex: SSH as well as HTTP] unencrypted, as though it is disregarding the port B) when the Policy config is such that: KS pushes: permit ip 192.168.1.0 0.0.0.255 192.168.2.0 0.0.0.255 Local deny policy is: deny tcp any eq 22 any deny tcp any any eq 22 - Here, ASR does not look at the local deny policy at all, and sends all the traffic [matching the permit policy] encrypted. Conditions: IOS-XE [ISR 4300 or ASR1k] on XE 3.13 configured as GetVPN Group-Member, where either SW-TCAM is used by default for the platform or the deny policy is so huge that HW-TCAM cannot accommodate the policy, hence failing back to SW-TCAM.
Bug details contain sensitive information and therefore require a Cisco.com account to be viewed.
Bug Details Include
- Full Description (including symptoms, conditions and workarounds)
- Known Fixed Releases
- Related Community Discussions
- Number of Related Support Cases