BugZero | Cisco BugID CSCvs74735 - Large scale ACL with range L4 operators is droppin...

Cisco - Defect ID: CSCvs74735

Large scale ACL with range L4 operators is dropping permitted packets

Cisco - Defect ID: CSCvs74735

Large scale ACL with range L4 operators is dropping permitted packets

Last updated on 4/8/2024

Overall: 7.87.8

Severity: 8.28.2

Lifecycle: 9.19.1

Popularity: 4.64.6

What is the BugZero Risk Score?

Vendor details

No defect details.

Overall: 7.87.8

Severity: 8.28.2

Lifecycle: 9.19.1

Popularity: 4.64.6

What is the BugZero Risk Score?

Vendor details

No defect details.

Symptom

Once applying large scale ACLs with 100+ "range" L4 oparators, device is dropping permitted packets. Example: ip access-list extended Some-Big-Extended_ACL permit tcp host 192.168.1.1 range 1099 1100 172.20.0.0 0.0.255.255 established <<<<<<< is dropping traffic permit tcp host 192.168.1.1 range 3402 3403 172.20.0.0 0.0.255.255 established Not every entry is failing after reaching the threshold.

Conditions

1. 100+ ACEs with L4 "range" operator in running configuration. 2. Day 1 issue, all current releases are affected.

Workaround

1. Decrease amount of unneeded "range" ACEs.

Further Problem Description

Example ACL: It is already 30th ACL like this, all previous ones are working fine. ip access-list extended Some-Big-Extended_ACL permit tcp host 192.168.162.201 range 1099 1100 172.20.0.0 0.0.255.255 established <<<<<<<<< is not programmed permit tcp host 192.168.162.201 range 3402 3403 172.20.0.0 0.0.255.255 established permit tcp host 192.168.245.140 172.20.0.0 0.0.255.255 eq www permit tcp host 192.168.245.140 eq www 172.20.0.0 0.0.255.255 established permit tcp 192.168.245.64 0.0.0.63 172.20.0.0 0.0.255.255 eq 1194 permit tcp 192.168.245.64 0.0.0.63 172.20.0.0 0.0.255.255 eq 2198 permit tcp 192.168.245.64 0.0.0.63 172.20.0.0 0.0.255.255 range 11500 11509 permit tcp host 192.168.245.138 eq 88 172.20.0.0 0.0.255.255 established permit udp host 192.168.245.138 eq 88 172.20.0.0 0.0.255.255 permit tcp host 192.168.245.138 eq 389 172.20.0.0 0.0.255.255 established permit udp host 192.168.245.138 eq 389 172.20.0.0 0.0.255.255 permit tcp host 192.168.245.138 eq 445 172.20.0.0 0.0.255.255 established permit tcp host 192.168.245.138 eq 3268 172.20.0.0 0.0.255.255 established permit tcp host 192.168.245.138 eq msrpc 172.20.0.0 0.0.255.255 established permit tcp host 192.168.245.138 range 49152 65535 172.20.0.0 0.0.255.255 established permit tcp host 192.168.245.139 eq 88 172.20.0.0 0.0.255.255 established permit udp host 192.168.245.139 eq 88 172.20.0.0 0.0.255.255 permit tcp host 192.168.245.139 eq 389 172.20.0.0 0.0.255.255 established permit udp host 192.168.245.139 eq 389 172.20.0.0 0.0.255.255 permit tcp host 192.168.245.139 eq 445 172.20.0.0 0.0.255.255 established permit tcp host 192.168.245.139 eq 3268 172.20.0.0 0.0.255.255 established permit tcp host 192.168.245.139 eq msrpc 172.20.0.0 0.0.255.255 established permit tcp host 192.168.245.139 range 49152 65535 172.20.0.0 0.0.255.255 established permit tcp any eq 1688 172.20.0.0 0.0.255.255 established permit tcp host 192.168.32.157 172.20.0.0 0.0.255.255 established permit tcp host 192.168.48.67 eq 3128 172.20.0.0 0.0.255.255 established permit tcp 192.168.48.8 0.0.0.1 eq www 172.20.0.0 0.0.255.255 established permit tcp 10.20.126.0 0.0.0.255 172.20.0.0 0.0.255.255 established permit tcp 10.20.122.0 0.0.0.255 range 3200 3299 172.20.0.0 0.0.255.255 established permit tcp host 192.168.162.231 eq 3046 172.20.0.0 0.0.255.255 established permit tcp any eq domain 172.20.0.0 0.0.255.255 established permit udp any eq domain 172.20.0.0 0.0.255.255 permit udp any eq ntp 172.20.0.0 0.0.255.255 permit udp any eq bootps 172.20.0.0 0.0.255.255 eq bootpc permit icmp any 172.20.0.0 0.0.255.255 deny ip any any log Switch#show platform software fed switch active acl policy vcu ######################################################## ######### ################## ######## Printing Policy Infos ################# ######### ################## ######################################################## INTERFACE: Vlan10 MAC 0000.0000.0000 ######################################################## intfinfo: 0x7fd90c3ed248 Interface handle: 0xe0000ca Interface Type: L3 if-id: 0x000000000000005e ------------ Direction: Output Protocol Type:IPv4 Policy Intface Handle: 0xe1000109 Policy Handle: 0x70000259 ######################################################## ######### ################## ######## Policy information ################# ######### ################## ######################################################## Policy handle : 0x70000259 Policy name : Some-Big-Extended_ACL ID : 64 Protocol : [3] IPV4 Feature : [27] AAL_FEATURE_RACL Number of ACLs : 1 ######################################################## ## Complete policy ACL information ######################################################## Acl number : 1 ===================================== Acl handle : 0xa70002c4 Acl flags : 0x00000001 Number of ACEs : 41 Ace handle [1] : 0xa6030391 Ace handle [2] : 0xe1030392 Ace handle [3] : 0xbb030393 Ace handle [4] : 0x36030394 Ace handle [5] : 0xa0030395 Ace handle [6] : 0xee030396 Ace handle [7] : 0x38030397 Ace handle [8] : 0xa9030398 Ace handle [9] : 0xaa030399 Ace handle [10] : 0xe503039a Ace handle [11] : 0x4303039b Ace handle [12] : 0x1603039c Ace handle [13] : 0xde03039d Ace handle [14] : 0xe703039e Ace handle [15] : 0xcd03039f Ace handle [16] : 0xcc0303a0 Ace handle [17] : 0xd70303a1 Ace handle [18] : 0x2f0303a2 Ace handle [19] : 0x9c0303a3 Ace handle [20] : 0x490303a4 Ace handle [21] : 0x530303a5 Ace handle [22] : 0xde0303a6 Ace handle [23] : 0x610303a7 Ace handle [24] : 0x390303a8 Ace handle [25] : 0x3b0303a9 Ace handle [26] : 0xcb0303aa Ace handle [27] : 0xcd0303ab Ace handle [28] : 0x410303ac Ace handle [29] : 0x9a0303ad Ace handle [30] : 0x0d0303ae Ace handle [31] : 0x810303af Ace handle [32] : 0x4f0303b0 Ace handle [33] : 0x450303b1 Ace handle [34] : 0x4b0303b2 Ace handle [35] : 0xdc0303b3 Ace handle [36] : 0xda0303b4 Ace handle [37] : 0x2f0303b5 Ace handle [38] : 0x850303b6 Ace handle [39] : 0xf40303b7 Ace handle [40] : 0xe80303b8 Ace handle [41] : 0x790303b9 Interface(s): Vlan10 ######################################################## ######### ################## ######## Policy instance information ################# ######### ################## ######################################################## Policy intf handle : 0xe1000109 Policy handle : 0x70000259 ID : 64 Protocol : [3] IPV4 Feature : [27] AAL_FEATURE_RACL Direction : [2] Egress Number of ACLs : 1 Number of VMRs : 30 Show CapMap Label Info: Asic 255 EGRESS Vcu GROUP CapMapLabel 7 bit_loc | port_type | vcu_type | vcu_seq | op_type | op_value / op_mask 29 SRC PORT DUAL ACU 6 RANGE c7f / ffff ce4 / ffff <<<<< no VCU covering 1st ACE. 25 DST PORT DUAL ACU 7 RANGE 4073 / ffff 407e / ffff 17 TCP FLAG SINGLE LCU 0 ANYSET 14 ############################################################################# VMR #0003 <<< only 20 (second entry) is seen. 10 is not present. Output IPv4 RACL Labels Port Vlan L3If Group M: 0000 0000 03ff 0000 V: 0000 0000 0019 0000 vcuResults l3Len l3Pro l3Tos SrcAddr DstAddr mtrid vrfid SH M: 00020000 0000 ff 00 ffffffff ffff0000 00 0000 0000 V: 00020000 0000 06 00 c0a8a2c9 ac140000 00 0000 0000 RMAC RA MEn IPOPT MF NFF DF SO DPT TM DSEn l3m M: 1 0 0 0 0 0 0 0 0 0 0 0 V: 1 0 0 0 0 0 0 0 0 0 0 0 SrcPort DstPortIITypeCode TCPFlags TTL ISBM QosLabel ReQOS S_P2P D_P2P M: fffe 0000 00 00 0000 00 0 0 0 V: 0d4a 0000 00 00 0000 00 0 0 0 <<<<<< 0d4a is 3402 with mask fffe gives us range 3402-3403, so OK. We can see second entry programmed, first not. SgEn SgLabel AuthBehaviorTag l2srcMiss l2dstMiss ipTtl M: 0 000000 0 0 0 0 V: 0 000000 0 0 0 0 DR DB LOG RS RF PS SR LRST LIDXPRIO SIDX STATS_ID HW_STATS_IDX DEST_MOD_INDEX 0 0 1 0 0 0 0 0 0 a 0000 0 0 0 AuthDrivenDropPacket AuthDrivenSuppressUpdatesAuthDrivenStatsId 0 0 0 forwardingModeBridge forwardingModeReplicate 0 0 Start/Skip Word: 0x00000008 No Start, Skip Feature

Original Vendor Announcement

9.65Defect ID: CSCwd45843
Auth Step latency for policy evaluation due to Garbage Collection activity.
9.65Defect ID: CSCwa92734
CUBE DTMF interworking fails from rtp-nte to OOB SIP methods
9.65Defect ID: CSCwj45822
Cisco ASA and FTD Software Remote Access VPN Brute Force Denial of Service Vulnerability
9.65Defect ID: CSCvo03458
PKI "revocation check crl none" does not fallback if CRL not reachable
9.65Defect ID: CSCvq05584
Cisco IOS and IOS XE Software Tcl Arbitrary Code Execution Vulnerability

Ready to prevent the next vendor outage?

Get a demo

OPERATIONAL DEFECT DATABASE

Cisco - Defect ID: CSCvs74735

Large scale ACL with range L4 operators is dropping permitted packets

Cisco - Defect ID: CSCvs74735

Large scale ACL with range L4 operators is dropping permitted packets

Last updated on 4/8/2024

Vendor details

Vendor details

Description

Symptom

Conditions

Workaround

Further Problem Description

Links

Top Cisco defects by risk score

Ready to prevent the next vendor outage?