Cisco Bug: CSCuo11841 - 3750 CTS not accepting CoA pushed from ISE when SGACL id does not match
Nov 27, 2020
- Cisco Catalyst 3750 Series Switches
Known Affected Releases
Symptom: 3750 starting from IOS 15.2 supports Radius CoA from ISE which can force the update of SGACL (via push buton from ISE). ISE is incrementing SGACL after every change. Then sends CoA with old id to indicate that all devices still using that SGACL with that id should request (Access-Request) to update - because new version is available. The problem occurs for multiple scenarios when SGACL id number is not synced between ISE and IOS. Example: IOS is having SGACL with id = 10. ISE is sending CoA for that SGACL with id = 12 - IOS responds CoA NAK: there is no such version to be updated. Only CoA with SGACL id=10 will be accepted. IOS should accept all never versions of SGACL id. When receiving bigger version then currently installed IOS should accept that CoA and download new version of SGACL. Conditions: Mistake in SGACL can not be recovered.
Bug details contain sensitive information and therefore require a Cisco.com account to be viewed.
Bug Details Include
- Full Description (including symptoms, conditions and workarounds)
- Known Fixed Releases
- Related Community Discussions
- Number of Related Support Cases