BugZero | Cisco BugID CSCui48557 - Remove and re-add ACEs of ACL lead to miss program...

Cisco - Defect ID: CSCui48557

Remove and re-add ACEs of ACL lead to miss programming in h/w

Cisco - Defect ID: CSCui48557

Remove and re-add ACEs of ACL lead to miss programming in h/w

Last updated on 12/15/2023

Overall: 6.16.1

Severity: 6.46.4

Lifecycle: 9.19.1

Popularity: 4.64.6

What is the BugZero Risk Score?

Vendor details

No defect details.

Overall: 6.16.1

Severity: 6.46.4

Lifecycle: 9.19.1

Popularity: 4.64.6

What is the BugZero Risk Score?

Vendor details

No defect details.

Symptom

After editing two or more IPv4 or IPv6 ACLs already applied on an interface, the change does not seem to take place. Sometimes, the affected ACLs appear differently in "show access-list ipv4 " and "show access-list ipv4 hardware ingress location " command. This means, the ACL's definition is out of sync between Control Plane and Data Plane

Conditions

A few criteria must be met to trigger this issue. (1) Two or more ACLs are edited at the same time. "ACL edit" here means adding/deleting one or more ACEs, within an ACL. The ACL shall have already been applied to at least 1 interface in the system. If the ACL is defined but not used anywhere, this problem will not occur (2) Regular ACL edit will not trigger such problem. If any one of the following conditions is met, then the ACL is NOT a regular ACL, then editing of them will contribute to occurrence of the problem: (a) The ACL is compressed (b) The ACE is previously classic ACE (i.e. contains no object-groups), but after editing, it contains object-groups (c) The ACE previously contains object-group ACE, after editing, it still contains object-group (d) The ACE previously contains object-group, after editing, it no longer contains object-group (e) The ACE is deleted or added, and it contains object-group (f) The ACE is deleted or added, it contains no object-group, but the other, not-changed ACE in the same ACL contains object-group ACE (g) The ACE is deleted or added, it contains no object-group, but the ACL is compressed

Workaround

There is no reliable workaround when this problem has occurred. Preventative measure is advised. One straightforward measure is that when editing non-regular ACLs (see above section for definition of "non-regular" ACL), edit them one by one. That is, edit one non-regular ACL, then commit, then edit another one. Do NOT edit two or more non-regular ACLs in one commit

Further Problem Description

The issue is fixed in IOS-XR 5.1.1. The problem is NOT applicable to IOS-XR 4.3.0 and prior releases. The first affected release is IOS-XR 4.3.1. The problem is additionally not-applicable in IOS-XR 5.1.0 because IOS-XR 5.1.0 does not contain Scale ACL feature (with sub-features such as object-groups and ACL compression), even though its version number is subsequent to 4.3.1

Original Vendor Announcement

9.65Defect ID: CSCwd45843
Auth Step latency for policy evaluation due to Garbage Collection activity.
9.65Defect ID: CSCwa92734
CUBE DTMF interworking fails from rtp-nte to OOB SIP methods
9.65Defect ID: CSCwj45822
Cisco ASA and FTD Software Remote Access VPN Brute Force Denial of Service Vulnerability
9.65Defect ID: CSCvo03458
PKI "revocation check crl none" does not fallback if CRL not reachable
9.65Defect ID: CSCvq05584
Cisco IOS and IOS XE Software Tcl Arbitrary Code Execution Vulnerability

Ready to prevent the next vendor outage?

Get a demo

OPERATIONAL DEFECT DATABASE

Cisco - Defect ID: CSCui48557

Remove and re-add ACEs of ACL lead to miss programming in h/w

Cisco - Defect ID: CSCui48557

Remove and re-add ACEs of ACL lead to miss programming in h/w

Last updated on 12/15/2023

Vendor details

Vendor details

Description

Symptom

Conditions

Workaround

Further Problem Description

Links

Top Cisco defects by risk score

Ready to prevent the next vendor outage?