OPERATIONAL DEFECT DATABASE
...
...
A router may experience packet drops due to Ipv4AclLookupMiss: Router#show platform hardware qfp active statistics drop ------------------------------------------------------------------------- Global Drop Stats Packets Octets ------------------------------------------------------------------------- Disabled 5 1033 EncapInvalid 659 39540 Ipv4AclLookupMiss 393 44802 <------ Ipv4NoAdj 26 3831 Ipv4NoRoute 6 510 Ipv4AclLookupMiss is usually associated with drops due to the implicit deny at the end of every ACL.
A router has an ACL configured with an object-group like this: access-list 150 permit ip object-group RDPHosts object-group SERVERS1 access-list 150 permit tcp host X.X.X.X eq 22 object-group USERS_SSH access-list 150 permit ip any any
If the "access-list " command is used to configure Object-group based ACL, once the configuration is over, drop into the extended ACL config mode and exit the config mode: ip access-list extended 150 exit This will cause the expanded ACLs to be programmed fresh in the TCAM. This also needs to be done after a reload with numbered OG-ACLs in older versions (without fix for CSCvm47690)
This issue will not be hit after the fix of CSCvm47690, where it forces the object-group configuration into the extended acl config mode. However, if you're upgrading from a version that does accept the object-group with the previous notation, the ACL will fail to program in the new version, causing packet drops.
Click on a version to see all relevant bugs
Cisco Integration
Learn more about where this data comes from
Bug Scrub Advisor
Streamline upgrades with automated vendor bug scrubs
BugZero Enterprise
Wish you caught this bug sooner? Get proactive today.
