Cisco Bug: CSCvs52116 - PBR is marking traffic with DSCP values only in one direction
Jun 18, 2020
- Cisco ASA 5500-X Series Firewalls
Known Affected Releases
Symptom: PBR with mark DSCP marking is configured in ASA or FTD, like this: route-map test_map permit 10 match ip address test set ip dscp af41 access-list test extended deny udp any any access-list test extended permit ip any any interface GigabitEthernet0/0 nameif inside cts manual propagate sgt preserve-untag policy static sgt disabled trusted security-level 0 ip address 192.168.10.1 255.255.255.0 policy-route route-map test_map ! interface GigabitEthernet0/1 nameif outside cts manual propagate sgt preserve-untag policy static sgt disabled trusted security-level 0 ip address 192.168.11.1 255.255.255.0 policy-route route-map test_map Traffic leaving FTD will have proper DSCP markings if it matches ACL, or PBR match statement. However, traffic from the same connecting coming back won't be remarked with proper DSCP markings. In addition, it seems that connections initiated from outside in such configurations, won't have returning traffic hitting PBR, as they're already considered connections and skip PBR processing on ingress (inside side of FTD). Conditions: FTD or ASA is used to mark traffic DSCP field by PBR. Tested with FTDv 6.5.0 and ASAv 184.108.40.206.
Bug details contain sensitive information and therefore require a Cisco.com account to be viewed.
Bug Details Include
- Full Description (including symptoms, conditions and workarounds)
- Known Fixed Releases
- Related Community Discussions
- Number of Related Support Cases