Preview Tool

Cisco Bug: CSCum83842 - Detailed ip acl logging shows incorrect matching ACE number

Last Modified

Oct 08, 2019

Products (8)

  • Cisco Nexus 7000 Series Switches
  • Cisco Nexus 7000 10-Slot Switch
  • Cisco Nexus 7000 4-Slot Switch
  • Cisco Nexus 7700 6-Slot Switch
  • Cisco Nexus 7700 18-Slot Switch
  • Cisco Nexus 7000 18-Slot Switch
  • Cisco Nexus 7700 10-Slot Switch
  • Cisco Nexus 7000 9-Slot Switch

Known Affected Releases

6.2(6) 7.0(3)I7(4)

Description (partial)

When ACL logging feature is enabled, a packet matching an ACE will
cause a log to appear on console. The log contains info on the packet
as well as which ACE this packet matches. The sequence number of
the matched ACE is wrong, causing confusion to end-user. Specifically,
it may appear that the sequence number belongs to a non-existing ACE.
For example,

ip access-list foo
 10 permit ...
 20 permit ...
 40 permit ...

The log would show a packet matches ACE "30", which is not configured
in "foo" above.

ACL is applied on a target (e.g. an interface), and the ACEs are numbered
NOT in the following fashion:

(1) Starting from ACE 10
(2) Have an increment of 10 for each subsequent ACE.

For example, if the sequence numbers read like 10, 20, 30 ....
This problem would not occur. But if they have a different pattern,
such as 10, 20, 40, 80, 81 ... that do not conform to the 2 points
above, this problem will surface.
Bug details contain sensitive information and therefore require a account to be viewed.

Bug Details Include

  • Full Description (including symptoms, conditions and workarounds)
  • Status
  • Severity
  • Known Fixed Releases
  • Related Community Discussions
  • Number of Related Support Cases
Bug information is viewable for customers and partners who have a service contract. Registered users can view up to 200 bugs per month without a service contract.