Guest

Cisco IOS Software Releases 12.3 T

Field Notice: Crypto Access Check on Clear-Text Packets


May 14, 2004


Products Affected

Product

Comments

12.3(8)T IPSec 3DES and IPSec 56 images

Cisco IOS Release 12.3(8)T intoduces the Crypto Access Check on Clear-Text Packets feature that changes the default behavior of crypto Access Control Lists. Default behavior is affected in all IOS IPsec images.

Problem Description

The Crypto Access Check on Clear-Text Packets feature provides four changes for the interaction between IPsec and interface access-lists. Customers upgrading to 12.3(8)T may need to make configuration changes prior to and after upgrading. IOS IPsec tunnels may stop passing traffic if upgrades occur without configuration changes.

The Crypto Access Check on Clear-Text Packets feature does not apply to IPSec configurations on the IPSec VPN Service Module card on the Cisco Catalyst 6500 Series Switches or Cisco 7600 Series Routers.

Background

Prior to Cisco Release 12.3(8)T, there were the following interface ACL checks:

  1. ACL checks for inbound packets, once on the encrypted packet, and then again on the decrypted packet.

  2. ACL checks for outbound packets, once before packets is encrypted, but not after the packet is encrypted. Most networks do not require the double check of the decrypted packet against the outside interface inbound ACL or the check of the outbound clear-text packet against the outside interface outbound ACL.

The Crypto Access Check on Clear-Text Packets feature removes interface Access Control List (ACL) checking against the outside interface for the just decrypted inbound clear-text packets that are received as part of an IPSec-encrypted packet and the to be encrypted outbound packets. This helps simplify the configuration of the outside interface ACLs and eliminates the security risks associated with the double check when using dynamic crypto-maps.

The Crypto Access Check on Clear-Text Packets feature adds the following:

  1. Important: Checking the outgoing encrypted packet against the outside interface outbound ACL, which means this ACL will need to explicitly permit these packets.

  2. The capability to add inbound and outbound access ACLs to the IPSec crypto map allows further control of data packets that are allowed through the IPsec tunnel.

Problem Symptoms

IOS IPsec tunnels may not pass any traffic after upgrading to 12.3(8)T.

Workaround/Solution

Refer to the 12.3(8)T Release Notes on Crypto Access Check on Clear-Text Packets for complete feature information and suggested configuration changes.

DDTS

To follow the bug ID link below and see detailed bug information, you must be a registered user and you must be logged in.

DDTS

Description

CSCdz54626 (registered customers only)

Regular inbound ACL is processed twice for IPSec traffic

For More Information

If you require further assistance, or if you have any further questions regarding this field notice, please contact the Cisco Systems Technical Assistance Center (TAC) by one of the following methods:

Receive Email Notification For New Field Notices

Product Alert Tool - Set up a profile to receive email updates about reliability, safety, network security, and end-of-sale issues for the Cisco products you specify.