Guest

Preview Tool

Cisco Bug: CSCsy84448 - VACL policy not getting deleted even after deleting ARP ACL

Last Modified

Jan 29, 2017

Products (1)

  • Cisco Nexus 7000 Series Switches

Known Affected Releases

4.1(5) 4.1(5)E2 4.2(0.174)

Description (partial)

Symptom:
the cli hangs or is unresponsive for 60 seconds or more, and errors such as the following occur:

  %ACLMGR-3-ACLMGR_PPF_ERROR: PPF error: DDB Error: 0x41170040
  (ddb_srv_ses_rmtsrv_dset_unln/1864)

  %ETHPORT-2-IF_SEQ_ERROR: Error ("sequence timeout") while communicating with component
  MTS_SAP_RPM_CTRL for opcode MTS_OPC_ETHPM_PORT_LOGICAL_CLEANUP (RID_PORT:
  port-channel5)             

  %ETHPORT-2-SEQ_TIMEOUT: Component MTS_SAP_RPM_CTRL timed out on response to
  opcode MTS_OPC_ETHPM_PORT_LOGICAL_CLEAN

  %RPM-2-PPF_SES_VERIFY: rpm [4581] PPF session verify failed in client (Line card  1/VDC
  NONE/UUID  0) with an error 0x41170014(Operation timed out)

  %ETHPORT-2-IF_DOWN_ERROR_DISABLED: Interface Ethernet2/14 is down (Error disabled.
  Reason: Internal Handshake Failure)

Conditions:
this error occurs when:

1) a policy is applied to a non-physical interface, eg a route-map, vacl or arp inspection acl is applied to an SVI, a port channel, or a vlan.  Policies applied directly to physical interfaces, or ospf and bgp redistribution route-maps, are not affected.

and

2) the policy is applied to either:
  a) a non-physical interface which has more than one physical interface on the same line card, or
  b)  more than one non-physical interface that both share a physical port on the same line card

and 

3) the policy has references to more than one access list, eg:
  a) multiple class-maps match a given access list, or

    route-map map1 permit 10
      match ip address myAcl
    route-map map2 permit 10
      match ip address myAcl

  b) multiple match ip address statements in a route map.
      
    route-map map1 permit 10
      match ip address myAcl-1
    route-map map1 permit 20
      match ip address myAcl-2

and

4) the references to the access lists, or the underlying access lists themselves, are modified or deleted while they are applied to an interface

if every acl in a vdc is only used once *and* acls are modified only when they are not applied to a non-physical interface, this error will not occur.
Bug details contain sensitive information and therefore require a Cisco.com account to be viewed.

Bug Details Include

  • Full Description (including symptoms, conditions and workarounds)
  • Status
  • Severity
  • Known Fixed Releases
  • Related Community Discussions
  • Number of Related Support Cases
Bug information is viewable for customers and partners who have a service contract. Registered users can view up to 200 bugs per month without a service contract.