Cisco Bug: CSCvu33233 - [J2] Deny Action is not working for non-initial fragments when ACE contains "L3+L4"
Aug 27, 2020
- Cisco ASR 9000 Series Aggregation Services Routers
Known Affected Releases
Symptom: IPv6 ACL deny action is not working properly when it has an ACE with "L3+L4". In config like: RP/0/RP0/CPU0#show access-lists ipv6 V6FragTst hardware ingress location 0/0/CPU0 ipv6 access-list V6FragTst 30 deny tcp any eq 1024 any eq 1024 (10318649 matches) 100 permit ipv6 any any when packet with TCP with FO >0 is sent, it should not match ACE 30. But it matches 30. Conditions: This happens when TCP packet has non-initial Fragment (Fragment header with FO value non-zero). Under this condition the match should be only for non-fragmented and initial-fragment packets. So this packets should not have been denied.
Bug details contain sensitive information and therefore require a Cisco.com account to be viewed.
Bug Details Include
- Full Description (including symptoms, conditions and workarounds)
- Known Fixed Releases
- Related Community Discussions
- Number of Related Support Cases