Guest

Preview Tool

Cisco Bug: CSCvs52116 - PBR is marking traffic with DSCP values only in one direction

Last Modified

Jun 18, 2020

Products (1)

  • Cisco ASA 5500-X Series Firewalls

Known Affected Releases

9.12(1.1)

Description (partial)

Symptom:
PBR with mark DSCP marking is configured in ASA or FTD, like this:
route-map test_map permit 10
 match ip address test
 set ip dscp af41
access-list test extended deny udp any any
access-list test extended permit ip any any
interface GigabitEthernet0/0
 nameif inside
 cts manual
  propagate sgt preserve-untag
  policy static sgt disabled trusted
 security-level 0
 ip address 192.168.10.1 255.255.255.0
 policy-route route-map test_map
!
interface GigabitEthernet0/1
 nameif outside
 cts manual
  propagate sgt preserve-untag
  policy static sgt disabled trusted
 security-level 0
 ip address 192.168.11.1 255.255.255.0
 policy-route route-map test_map 

Traffic leaving FTD will have proper DSCP markings if it matches ACL, or PBR match statement. However, traffic from the same connecting coming back won't be remarked with proper DSCP markings. In addition, it seems that connections initiated from outside in such configurations, won't have returning traffic hitting PBR, as they're already considered connections and skip PBR processing on ingress (inside side of FTD).

Conditions:
FTD or ASA is used to mark traffic DSCP field by PBR. Tested with FTDv 6.5.0 and ASAv 9.12.2.4.
Bug details contain sensitive information and therefore require a Cisco.com account to be viewed.

Bug Details Include

  • Full Description (including symptoms, conditions and workarounds)
  • Status
  • Severity
  • Known Fixed Releases
  • Related Community Discussions
  • Number of Related Support Cases
Bug information is viewable for customers and partners who have a service contract. Registered users can view up to 200 bugs per month without a service contract.