Preview Tool

Cisco Bug: CSCul67169 - Fed Crash on NG3K when trying to authenticate a supplicant using 802.1x

Last Modified

Aug 20, 2019

Products (1)

  • Cisco Catalyst 3850 Series Switches

Known Affected Releases


Description (partial)

In an environment where downloadable ACLs are used a Cat3850 may report a FED crash.

This crash is triggered due to ACL names longer than 64 characters. Internally, several strings are added to the ACL name, and if the aggregate exceeds 63 characters this crash would be seen.

As an example, consider an ACL configured in an ACS server as "this-acl-is-22-letters".
- ACS adds characters to the beginning and end of this ACL (which can be seen in "show auth sess int <int> detail
- the switch adds characters to the beginning and end of this ACL 

#sh auth sess int gi 2/11 details
            Interface:  GigabitEthernet2/11
        Authorized By:  Authentication Server
              ACS ACL:  xACSACLx-IP-this-acl-is-22-letters-520492d0
Any port where a device receives an ACL which is longer then 64 characters will be truncated and this same truncated string will share the ACL programming with other ports in same state and trigger the issue.
Bug details contain sensitive information and therefore require a account to be viewed.

Bug Details Include

  • Full Description (including symptoms, conditions and workarounds)
  • Status
  • Severity
  • Known Fixed Releases
  • Related Community Discussions
  • Number of Related Support Cases
Bug information is viewable for customers and partners who have a service contract. Registered users can view up to 200 bugs per month without a service contract.