BugZero | Cisco BugID CSCvo57938 - Sufficient free entries are not available in TCAM ...

Cisco - Defect ID: CSCvo57938

Sufficient free entries are not available in TCAM bank

Cisco - Defect ID: CSCvo57938

Sufficient free entries are not available in TCAM bank

Last updated on 1/3/2020

Overall: 5.55.5

Severity: 6.46.4

Lifecycle: 9.19.1

Popularity: 3.73.7

What is the BugZero Risk Score?

Vendor details

No defect details.

Overall: 5.55.5

Severity: 6.46.4

Lifecycle: 9.19.1

Popularity: 3.73.7

What is the BugZero Risk Score?

Vendor details

No defect details.

Symptom

There are two issues. 1. There is IPv6 free space on TCAM. But I could not add rules. This issue happened on C9332PQ. 2. One IPv4 ACL could not apply to this interface when the interface has been applied to one IPv6 ACL. This issue happened on C93180YC-EX and C9236C. Log: 1. There is IPv6 free space on TCAM. But I could not add rules. This issue happened on C9332PQ. AQ13-PT-9332PQ-01(config)# inte e1/23 AQ13-PT-9332PQ-01(config-if)# no ip access-group IPV4-ACL in AQ13-PT-9332PQ-01(config-if)# ipv6 traffic-filter IPV6-ACL in AQ13-PT-9332PQ-01(config-if)# !!!!-------------------->Exception AQ13-PT-9332PQ-01(config-ipv6-acl)# 1270 permit icmp 2001:12::1b/128 2001:22:0:1b::/64 2001:12::1c/128 2001:22:0:1c::/64 AQ13-PT-9332PQ-01(config-ipv6-acl)# 1280 permit icmp 2001:12::1c/128 2001:22:0:1c::/64 Sufficient free entries are not available in TCAM bank AQ13-PT-9332PQ-01(config-ipv6-acl)# 1290 permit icmp 2001:12::1d/128 2001:22:0:1d::/64 2001:12::1e/128Sufficient free entries are not available in TCAM bank AQ13-PT-9332PQ-01(config-ipv6-acl)# 1300 permit icmp 2001:12::1e/128 2001:22:0:1e::/64 Sufficient free entries are not available in TCAM bank AQ13-PT-9332PQ-01(config-ipv6-acl)# show hardware access-list resource utilization module 1 INSTANCE 0x0 ------------- ACL Hardware Resource Utilization (Mod 1) ---------------------------------------------------------- Used Free Percent Utilization ------------------------------------------------------------------- Ingress IPv4 RACL 1 511 0.19 Ingress IPv6 RACL 129 127 50.39 ---------------->Free space 2. One IPv4 ACL could not apply to this interface when the interface has been applied to one IPv6 ACL. This issue happened on C93180YC-EX and C9236C. AP07-PT-9236C-01(config-if)# show run inte e1/3 !Command: show running-config interface Ethernet1/3 !Running configuration last done at: Tue Jan 11 17:11:43 2011 !Time: Tue Jan 11 17:12:42 2011 version 9.2(2) Bios:version 07.59 interface Ethernet1/3 description Connection to AP07-PT-9236C-03:Eth1/5 ipv6 traffic-filter IPV6-ACL in AP07-PT-9236C-01(config-if)# show run inte e1/2 !Command: show running-config interface Ethernet1/2 !Running configuration last done at: Tue Jan 11 17:11:43 2011 !Time: Tue Jan 11 17:12:58 2011 version 9.2(2) Bios:version 07.59 interface Ethernet1/2 description Connection to AQ13-PT-9504-02:Eth2/5 no shutdown AP07-PT-9236C-01(config-if)# AP07-PT-9236C-01(config-if)# inte e1/2 AP07-PT-9236C-01(config-if)# ip access-group IPV4-ACL in ------->Apply "IPV4-ACL" to E1/2. E1/2 and E1/3 are using the same Instance 0x0. AP07-PT-9236C-01(config-if)# show hardware access-list resource utilization module 1 INSTANCE 0x0 ------------- ACL Hardware Resource Utilization (Mod 1) ---------------------------------------------------------- Used Free Percent Utilization ------------------------------------------------------------------- Ingress RACL 1410 382 78.68 Ingress RACL IPv4 604 33.70 ----------->No issue Ingress RACL IPv6 804 44.86 Ingress RACL MAC 0 0.00 Ingress RACL ALL 2 0.11 Ingress RACL OTHER 0 0.00 AP07-PT-9236C-01(config-if)# AP07-PT-9236C-01(config-if)# inte e1/3 AP07-PT-9236C-01(config-if)# ip access-group IPV4-ACL in Sufficient free entries are not available in TCAM bank --------> !!Issue. The same "IPV4-ACL" can't apply to E1/3. AP07-PT-9236C-01(config-if)# AP07-PT-9236C-01(config-if)# inte e1/3 AP07-PT-9236C-01(config-if)# no ipv6 traffic-filter IPV6-ACL in AP07-PT-9236C-01(config-if)# ip access-group IPV4-ACL in AP07-PT-9236C-01(config-if)# ipv6 traffic-filter IPV6-ACL in Sufficient free entries are not available in TCAM bank AP07-PT-9236C-01(config-if)# ------------->Workaround Reduce rules from IPv6 or IPv4 ACL. AP07-PT-9236C-01(config-if)# ipv6 access-list IPV6-ACL AP07-PT-9236C-01(config-ipv6-acl)# no 4000 permit tcp 2001:14:1::/128 2001:24:1::/128 AP07-PT-9236C-01(config-ipv6-acl)# no 4010 permit tcp 2001:14:1::1/128 2001:24:1::1/128 AP07-PT-9236C-01(config-ipv6-acl)# no 4020 permit tcp 2001:14:1::2/128 2001:24:1::2/128 AP07-PT-9236C-01(config-ipv6-acl)# no 4030 permit tcp 2001:14:1::3/128 2001:24:1::3/128 AP07-PT-9236C-01(config-ipv6-acl)# no 4040 permit tcp 2001:14:1::4/128 2001:24:1::4/128 AP07-PT-9236C-01(config-ipv6-acl)# no 4050 permit tcp 2001:14:1::5/128 2001:24:1::5/128 AP07-PT-9236C-01(config-ipv6-acl)# inte e1/3 AP07-PT-9236C-01(config-if)# ipv6 traffic-filter IPV6-ACL in AP07-PT-9236C-01(config-if)# AP07-PT-9236C-01(config-if)# show hardware access-list resource utilization module 1 INSTANCE 0x0 ------------- ACL Hardware Resource Utilization (Mod 1) ---------------------------------------------------------- Used Free Percent Utilization ------------------------------------------------------------------- Ingress RACL 1106 686 61.71 Ingress RACL IPv4 604 33.70 Ingress RACL IPv6 500 27.90

Conditions

IPv4 and IPv6 ACLs

Workaround

1. There is IPv6 free space on TCAM. But I could not add rules. This issue happened on C9332PQ. No workaround. 2. One IPv4 ACL could not apply to this interface when the interface has been applied to one IPv6 ACL. This issue happened on C93180YC-EX and C9236C. -------->Workaround Reduce rules from IPv6 or IPv4 ACL. AP07-PT-9236C-01(config-if)# ipv6 access-list IPV6-ACL AP07-PT-9236C-01(config-ipv6-acl)# no 4000 permit tcp 2001:14:1::/128 2001:24:1::/128 AP07-PT-9236C-01(config-ipv6-acl)# no 4010 permit tcp 2001:14:1::1/128 2001:24:1::1/128 AP07-PT-9236C-01(config-ipv6-acl)# no 4020 permit tcp 2001:14:1::2/128 2001:24:1::2/128 AP07-PT-9236C-01(config-ipv6-acl)# no 4030 permit tcp 2001:14:1::3/128 2001:24:1::3/128 AP07-PT-9236C-01(config-ipv6-acl)# no 4040 permit tcp 2001:14:1::4/128 2001:24:1::4/128 AP07-PT-9236C-01(config-ipv6-acl)# no 4050 permit tcp 2001:14:1::5/128 2001:24:1::5/128 AP07-PT-9236C-01(config-ipv6-acl)# inte e1/3 AP07-PT-9236C-01(config-if)# ipv6 traffic-filter IPV6-ACL in AP07-PT-9236C-01(config-if)# AP07-PT-9236C-01(config-if)# show hardware access-list resource utilization module 1 INSTANCE 0x0 ------------- ACL Hardware Resource Utilization (Mod 1) ---------------------------------------------------------- Used Free Percent Utilization ------------------------------------------------------------------- Ingress RACL 1106 686 61.71 Ingress RACL IPv4 604 33.70 Ingress RACL IPv6 500 27.90

Further Problem Description

Original Vendor Announcement

9.65Defect ID: CSCwd45843
Auth Step latency for policy evaluation due to Garbage Collection activity.
9.65Defect ID: CSCwa92734
CUBE DTMF interworking fails from rtp-nte to OOB SIP methods
9.65Defect ID: CSCwj45822
Cisco ASA and FTD Software Remote Access VPN Brute Force Denial of Service Vulnerability
9.65Defect ID: CSCvo03458
PKI "revocation check crl none" does not fallback if CRL not reachable
9.65Defect ID: CSCvq05584
Cisco IOS and IOS XE Software Tcl Arbitrary Code Execution Vulnerability

Ready to prevent the next vendor outage?

Get a demo

OPERATIONAL DEFECT DATABASE

Cisco - Defect ID: CSCvo57938

Sufficient free entries are not available in TCAM bank

Cisco - Defect ID: CSCvo57938

Sufficient free entries are not available in TCAM bank

Last updated on 1/3/2020

Vendor details

Vendor details

Description

Symptom

Conditions

Workaround

Further Problem Description

Links

Top Cisco defects by risk score

Ready to prevent the next vendor outage?