Guest

Preview Tool

Cisco Bug: CSCun13225 - FWSM DOC - ACL-Enabled Inspection Limitation

Last Modified

Mar 17, 2014

Products (1)

  • Cisco Catalyst 6500 Series Firewall Services Module

Known Affected Releases

4.0(3.11)

Description (partial)

Symptom:
Configuring Inspection with ACL can cause unexpected ACL memory exhaustion,
even while node has plenty of free ACL nodes. Node might not fully recover, from
the error and some nameif might be gone from running configuration & hardware.


SAMPLE CONFIG:
Note: Variable "n" needed to hit issue is unpredictable.

access-list ACL extended permit tcp any <S1> <M1> eq sunrpc
..<n x ACE>
access-list ACL extended permit tcp any <Sn> <Mn> eq sunrpc

service-policy GLOBAL_POLICY global

policy-map GLOBAL_POLICY
  class SUNRPC_CLASS
    inspect sunrpc
    
class-map SUNRPC_CLASS
match access-list ACL

Conditions:
Inspection with ACL.
Bug details contain sensitive information and therefore require a Cisco.com account to be viewed.

Bug Details Include

  • Full Description (including symptoms, conditions and workarounds)
  • Status
  • Severity
  • Known Fixed Releases
  • Related Community Discussions
  • Number of Related Support Cases
Bug information is viewable for customers and partners who have a service contract. Registered users can view up to 200 bugs per month without a service contract.