BGP and crypto map

Hy everybody,

at the moment i have a strange behaviour with one of my routers. It's
a 7120 (12.2.15 T7)where i'm running bgp and vpn stuff on. The problem
i got at the moment is, that everytime i enable a crypto map on my
serial interface my bgp session to my providers router goes down.
After i debuged a lot of stuff and made some testings i really thing
it's a bug but maybe i missed something. Did someone had similar
problems ??

Thanx in advance for reponds

[email protected]

 

Hy everybody,

You gotta post a config, else there is really no way to help you.

kr

 

How does your ACL's look ? As CCIE8122 mentioned, configs are required.

 

Are you using route-maps to match the nexthop ?


Tijuana, mexico

 

I'm using route maps for the BGP config. For VPN i use static routes.
[email protected]

 

Hy,

appended you find an extract of my config.


ip subnet-zero
no ip source-route
!
!
no ip domain lookup
!
no ip cef
!
!!
crypto isakmp policy 10
encr 3des
authentication pre-share
group 2
lifetime 28800
!
crypto isakmp key xxxxxxx address xx.xx.xx.xx no-xauth
!
!
crypto ipsec transform-set Test-vpn esp-3des esp-sha-hmac
!
crypto map Test-vpn 10 ipsec-isakmp
set peer xx.xx.xx.xx
set transform-set NS-Strong
match address 175


!
!
interface Serial1/0
bandwidth 1984
ip address xx.xx.xx.xx 255.255.255.252
ip access-group 110 in
no ip route-cache
no ip mroute-cache
load-interval 60
down-when-looped
serial restart_delay 0
no fair-queue
no cdp enable
crypto map Test-vpn
!
router bgp xxxx
no synchronization
bgp router-id xx.xx.xx.xx
bgp log-neighbor-changes
network xx.xx.xx.xx
neighbor <Provider-Router> remote-as xx
neighbor <Provider-Router> send-community
neighbor <Provider-Router> soft-reconfiguration inbound
neighbor <Provider-Router> route-map IN in
neighbor <Provider-Router> route-map OUT out
neighbor <my-other-redundant-router> remote-as xxxx
neighbor <my-other-redundant-router> update-source Loopback0
neighbor <my-other-redundant-router> next-hop-self
neighbor <my-other-redundant-router> send-community
no auto-summary
!
ip classless
ip route VPN-network serial 1/0
no ip http server
no ip http secure-server
!
ip bgp-community new-format
ip as-path access-list 1 permit ^$
ip as-path access-list 2 permit ^xxx_
!
ip prefix-list NO-SUBNET seq 5 permit 0.0.0.0/0 ge 25
!
access-list 110 permit icmp any any unreachable
access-list 110 permit icmp any any source-quench
access-list 110 permit icmp any any time-exceeded
access-list 110 permit icmp any any parameter-problem
access-list 110 permit icmp any any conversion-error
access-list 110 permit icmp any xxxxxxx echo-reply
access-list 110 deny icmp any any
access-list 110 permit ip any any
access-list 110 permit esp any any
access-list 175 permit ip xxxx xxxxxx
no cdp run
!
route-map OUT permit 10
match as-path 1
set as-path prepend xxx xxx xxx
!
route-map OUT deny 20
!
route-map IN deny 5
match ip address prefix-list NO-SUBNET
!
route-map IN permit 10
match as-path 2
set local-preference 90

 

Hy everybody,

Cisco TAC helped us to find the problem. The IOS is a litlle bit
sensitive regarding the vpn config. We had a dynamic crypto map entry
in our config (as a template) with a link to a access list where the
access list itself was not configured.
After setting the access lists the problem vanished.

Thanx for all the reponses

[email protected]