Guest

Preview Tool

Cisco Bug: CSCvv20380 - Removing and Adding Bulk ACL leads to Tracebacks and Error-Objects

Last Modified

Oct 05, 2020

Products (1)

  • Cisco ASR 1000 Series Aggregation Services Routers

Known Affected Releases

16.12.2

Description (partial)

Symptom:
When the ACL is applied under the Interface and if it has large number of ACEs and if the ACL is modified while it is already attached to the target interface, then Tracebacks are generated and DP Download failure logs are generated.


*Jun 20 11:17:57.627: %CPPOSLIB-3-ERROR_NOTIFY: F0: cpp_sp: cpp_sp encountered an error -Traceback= 1#bb5afb45dd7b21eb3b261187cbdbe584   errmsg:7F5958015000+A80 cpp_common_os:7F595B26B000+DB2C cpp_common_os:7F595B26B000+1BA0E cfm:7F59503BE000+29B52 cpp_fm_server:7F595FD17000+44CBA cpp_fm_server:7F595FD17000+3EAFE cpp_fm_server:7F595FD17000+55B3E cfm:7F59503BE000+D24F cfm:7F59503BE000+1410D cfm:7F59503BE000+130A2 cgm:7F595063B000+32E60 cgm:7F595063B000+2CD9F cgm:7F595063B000+2B973 cgm:7F595063B000+2ACCC cgm:7F595063B000+2CCCB cgm:7F595063B0
*Jun 20 11:19:34.635: %FMFP_ACL-3-ACL_OBJECT_DOWNLOAD: F0: fman_fp_image: ACL create/modify for ACL ANTI-SPOOFING fail to download because No such process.
*Jun 20 11:19:34.635: %FMFP-3-OBJ_DWNLD_TO_DP_FAILED: F0: fman_fp_image: ACL: ANTI-SPOOFING idx: 1 download to DP failed

Also, when object-manager statistics are checked then it is found that the error-objects are seen for failed DP Programming:

ASR1006#sh plat software object-manager fp ac statistics 
Forwarding Manager Asynchronous Object Manager Statistics
 
Object update: Pending-issue: 0, Pending-acknowledgement: 0
Batch begin:   Pending-issue: 0, Pending-acknowledgement: 0
Batch end:     Pending-issue: 0, Pending-acknowledgement: 0
Command:       Pending-acknowledgement: 0
Total-objects: 871
Stale-objects: 0
Resolve-objects: 0
Childless-delete-objects: 2
Error-objects: 1
Paused-types: 3
 
If further checked the error-objects, then it would be related to the ACL which has been just modified.

Once the ACL goes into this state, then all the new changes to the ACL is failed and they don't take any effect. However, the older entries would still work.

Conditions:
Router must meet below conditions in order to hit this defect.
Running polaris 16.12.2 or higher code.
ACL has large number of ACEs and attached to the Interface while being modified
A quick copy paste of config changes under the ACL using CLI
Bug details contain sensitive information and therefore require a Cisco.com account to be viewed.

Bug Details Include

  • Full Description (including symptoms, conditions and workarounds)
  • Status
  • Severity
  • Known Fixed Releases
  • Related Community Discussions
  • Number of Related Support Cases
Bug information is viewable for customers and partners who have a service contract. Registered users can view up to 200 bugs per month without a service contract.