Guest

Preview Tool

Cisco Bug: CSCuq13494 - ASR1k-IPv6 Egress ACL Intermittently Misclassifies and Drops ESP packets

Last Modified

Feb 02, 2017

Products (1)

  • Cisco ASR 1000 Series Aggregation Services Routers

Known Affected Releases

15.3(3)S3

Description (partial)

Symptom:
The Outbound IPv6 Access-list intermittently misclassifies and drops egress ESP traffic. This happens immediately after encryption and while parsing the egress ipv6 traffic filter.

The dropped ESP packet is misclassified using its original IP Protocol ID (pre-encryption), e.g. an encrypted ICMP packet is checked against ICMP ACL entries (IP Protocol 1) or an encrypted TCP or UDP are checked against their respective protocol number entries. If no specific protocol ACL entries exist the 
encrypted packet will be checked against generic IP ACL rules. The result for all these egress ACL checks
will be an IPv6 Access-List Drop.

Conditions:
GETVPN GM with IPv6 DataPlane, running on IOS 15.3(3)S3 / ASR1002-X
Bug details contain sensitive information and therefore require a Cisco.com account to be viewed.

Bug Details Include

  • Full Description (including symptoms, conditions and workarounds)
  • Status
  • Severity
  • Known Fixed Releases
  • Related Community Discussions
  • Number of Related Support Cases
Bug information is viewable for customers and partners who have a service contract. Registered users can view up to 200 bugs per month without a service contract.