Guest

Preview Tool

Cisco Bug: CSCut64327 - L2TP/IPsec traffic dropped due to "vpn-overlap-conflict"

Last Modified

Nov 09, 2016

Products (1)

  • Cisco ASA 5500-X Series Firewalls

Known Affected Releases

9.1(1) 9.1(6)

Description (partial)

Symptom:
After upgrading the code from 911 to 912/916 l2tp/Ipsec users are not able to access inside resources.

Inside hosts can reach connected l2tp/Ipsec client fine

Set up:
*******
10.48.100.0/24-----[inside] ASA [outside]---------ISP---------------Site-to-Site-VPN-peer----10.48.0.0/16 ( contains multiple subnets in 10.48.x.0/24 range, so it has been summarized to /16)
                                                                       |
                                                                       |
                                                                       |------------------l2tp/ipsec-vpn user (10.48.252.128-10.48.252.254)

NOTE: VPN pool falls under remote site to site network /16 range, to prevent it from matching static crypto map a deny entry has been added.

*************
access-list test line 1 extended deny ip 10.48.100.0 255.255.255.0 10.48.252.0 255.255.255.0
access-list test line 3 extended permit ip 10.48.100.0 255.255.255.0 10.48.0.0 255.255.0.0
*************
Presence of either of two ACE shown above causes the drop/"vpn-overlap-conflict", only removal of both fixes the traffic issue and l2tp/Ipsec client can reach inside resources fine.


'sh asp drop' shows huge increments in 'vpn-overlap-conflict' counter.

Conditions:
VPN pool falls under remote site to site network /16 range, to prevent it from matching static crypto map; a deny entry has been added to static map ACL.


access-list test line 1 extended deny ip 10.48.100.0 255.255.255.0 10.48.252.0 255.255.255.0 //** Deny vpn pool
access-list test line 3 extended permit ip 10.48.100.0 255.255.255.0 10.48.0.0 255.255.0.0  //** site to site vpn ACE
Bug details contain sensitive information and therefore require a Cisco.com account to be viewed.

Bug Details Include

  • Full Description (including symptoms, conditions and workarounds)
  • Status
  • Severity
  • Known Fixed Releases
  • Related Community Discussions
  • Number of Related Support Cases
Bug information is viewable for customers and partners who have a service contract. Registered users can view up to 200 bugs per month without a service contract.