Preview Tool

Cisco Bug: CSCup10155 - 3850 ACL is dropping flows matching an "established" acl entry

Last Modified

Nov 27, 2020

Products (1)

  • Cisco Catalyst 3850 Series Switches

Known Affected Releases


Description (partial)

3850 is dropping flows matching an "established" acl entry when no ip unreachabel is enabled on interface.

Not able to ssh from 3850 to any other device using interface where ACL permitting ssh is applied inbound and "no ip unreachables" configured on the same interface

The problem is reproducible following the steps (for example for seeing the drops on a ssh session started at the c3850):

1.       Connect one switch with ssh enable to the c3850

2.       Configure routing between both switches

3.       Configure an acl on the 3850:

Conf t

Ip access ext ACL1

    10 permit tcp any eq 22 any established

    20 permit tcp any eq 22 any eq 1

    30 deny ip any any log

4.       Configure "no ip unreachables" on the vlan interface connecting the other switch

5.       Configure the ACL1 inbound to the same interface

6.       Ssh to the other switch - you will see hits on the access-list 10 and a SYN ACK from the other switch but the ssh connection is not established
Bug details contain sensitive information and therefore require a account to be viewed.

Bug Details Include

  • Full Description (including symptoms, conditions and workarounds)
  • Status
  • Severity
  • Known Fixed Releases
  • Related Community Discussions
  • Number of Related Support Cases
Bug information is viewable for customers and partners who have a service contract. Registered users can view up to 200 bugs per month without a service contract.