Guest

Preview Tool

Cisco Bug: CSCuq07716 - netio crashes when filtering ACL with object-groups

Last Modified

Sep 17, 2019

Products (1)

  • Cisco Carrier Routing System

Known Affected Releases

5.2.2.BASE

Description (partial)

Symptom:

netio crashes when filtering slow-path packet with ACL

Conditions:

Condition (1)(3)(4)(5) must all be TRUE
Condition (2) is optional:

(1) An ACL (ipv4 or ipv6) is applied on interface.
(2) The ACL optionally contains "log" keyword. Note that "log"   
    keyword is NOT a required condition. It merely increases
    the chance that a packet filtered by hardware is sent to 
    netio for slow-path ACL matching, because "log" triggers
    ACL to generate a console log for filtered packet, and
    the generation, delivery of such console log involves
    ACL logic in netio. There are other conditions where a
    packet is sent to netio without any ACE with "log" keyword.
(3) The ACL has been previously edited. Specifically, a non-remark
    ACE is changed to a remark ACE as result of this edit. This
    is the single most important trigger of this bug
(4) A packet that matches to previously non-remark ACE is filtered
    by the slow path, i.e. it is sent to netio for slow path processing
(5) The ACL must contain object-group, and/or it is applied with 
    compression (the compression level is 1 or 3, not 0).
Bug details contain sensitive information and therefore require a Cisco.com account to be viewed.

Bug Details Include

  • Full Description (including symptoms, conditions and workarounds)
  • Status
  • Severity
  • Known Fixed Releases
  • Related Community Discussions
  • Number of Related Support Cases
Bug information is viewable for customers and partners who have a service contract. Registered users can view up to 200 bugs per month without a service contract.