Preview Tool

Cisco Bug: CSCvu33233 - [J2] Deny Action is not working for non-initial fragments when ACE contains "L3+L4"

Last Modified

Aug 27, 2020

Products (1)

  • Cisco ASR 9000 Series Aggregation Services Routers

Known Affected Releases

7.2.1.BASE 7.3.1.BASE

Description (partial)

IPv6 ACL deny action is not working properly when it has an ACE with "L3+L4".
In config like:

RP/0/RP0/CPU0#show access-lists ipv6 V6FragTst hardware ingress location 0/0/CPU0
ipv6 access-list V6FragTst
30 deny tcp any eq 1024 any eq 1024  (10318649 matches)
100 permit ipv6 any any

when packet with TCP with FO >0 is sent, it should not match ACE 30.
But it matches 30.

This happens when TCP packet has non-initial Fragment (Fragment header with FO value non-zero).
Under this condition the match should be only for non-fragmented and initial-fragment packets.
So this packets should not have been denied.
Bug details contain sensitive information and therefore require a account to be viewed.

Bug Details Include

  • Full Description (including symptoms, conditions and workarounds)
  • Status
  • Severity
  • Known Fixed Releases
  • Related Community Discussions
  • Number of Related Support Cases
Bug information is viewable for customers and partners who have a service contract. Registered users can view up to 200 bugs per month without a service contract.