Guest

Preview Tool

Cisco Bug: CSCuo11841 - 3750 CTS not accepting CoA pushed from ISE when SGACL id does not match

Last Modified

Jan 29, 2017

Products (1)

  • Cisco Catalyst 3750 Series Switches

Known Affected Releases

15.2(1.1)

Description (partial)

Symptom:
3750 starting from IOS 15.2 supports Radius CoA from ISE which can force the update of SGACL (via push buton from ISE).

ISE is incrementing SGACL after every change. Then sends CoA with old id to indicate that all devices still using that SGACL with that id should request (Access-Request) to update - because new version is available.

The problem occurs for multiple scenarios when SGACL id number is not synced between ISE and IOS. Example:
IOS is having SGACL with id = 10. ISE is sending CoA for that SGACL with id = 12 - IOS responds CoA NAK: there is no such version to be updated. Only CoA with SGACL id=10 will be accepted.

IOS should accept all never versions of SGACL id. When receiving bigger version then currently installed IOS should accept that CoA and download new version of SGACL.

Conditions:
Mistake in SGACL can not be recovered.
Bug details contain sensitive information and therefore require a Cisco.com account to be viewed.

Bug Details Include

  • Full Description (including symptoms, conditions and workarounds)
  • Status
  • Severity
  • Known Fixed Releases
  • Related Community Discussions
  • Number of Related Support Cases
Bug information is viewable for customers and partners who have a service contract. Registered users can view up to 200 bugs per month without a service contract.