Guest

Preview Tool

Cisco Bug: CSCvu36475 - Numbered ACLs fail to program to software TCAM if there's an object-group config

Last Modified

Sep 24, 2020

Products (1)

  • Cisco IOS

Known Affected Releases

16.9.5

Description (partial)

Symptom:
A router may experience packet drops due to Ipv4AclLookupMiss:

Router#show platform hardware qfp active statistics drop 
-------------------------------------------------------------------------
Global Drop Stats                         Packets                  Octets  
-------------------------------------------------------------------------
Disabled                                        5                    1033  
EncapInvalid                                  659                   39540  
Ipv4AclLookupMiss                             393                   44802   <------
Ipv4NoAdj                                      26                    3831  
Ipv4NoRoute                                     6                     510  

Ipv4AclLookupMiss is usually associated with drops due to the implicit deny at the end of every ACL.

Conditions:
A router has an ACL configured with an object-group like this:

<more ACL entries>
access-list 150 permit ip object-group RDPHosts object-group SERVERS1
access-list 150 permit tcp host 10.1.1.134 eq 22 object-group USERS_SSH
<more ACL entries>
access-list 150 permit ip any any
Bug details contain sensitive information and therefore require a Cisco.com account to be viewed.

Bug Details Include

  • Full Description (including symptoms, conditions and workarounds)
  • Status
  • Severity
  • Known Fixed Releases
  • Related Community Discussions
  • Number of Related Support Cases
Bug information is viewable for customers and partners who have a service contract. Registered users can view up to 200 bugs per month without a service contract.