BugZero | Cisco BugID CSCvu36475 - Numbered ACLs fail to program to software TCAM if ...

Loading...

Operational Defect Database

A free repository of operational (non-security) bugs centralized through custom integrations with leading IT vendors.

Product

Enterprise platform
Bug Scrub Advisor
Operational Risk Scoring
Vendor Integrations

Company

Plans
Value Guide
About
Contact us
Legal

Resources

Blog
ServiceNow App
Trust Center
Risk Management
NIST
DORA

Operational Defect Database

A free repository of operational (non-security) bugs centralized through custom integrations with leading IT vendors.

Product

Enterprise platform
Bug Scrub Advisor
Operational Risk Scoring
Vendor Integrations

Company

Plans
Value Guide
About
Contact us
Legal

Resources

Blog
ServiceNow App
Trust Center
Risk Management
NIST
DORA

©2025 BugZero. All Rights Reserved.

Privacy Policy Terms of Service

BugZero | Cisco BugID CSCvu36475 - Numbered ACLs fail to program to software TCAM if ...

ODD
Cisco
CSCvu36475

Cisco - Defect ID: CSCvu36475

Numbered ACLs fail to program to software TCAM if there's an object-group config

ODD
Cisco
CSCvu36475

Cisco - Defect ID: CSCvu36475

Numbered ACLs fail to program to software TCAM if there's an object-group config

Last updated on June 28th, 2025

BugZero Risk Score
6.1 Medium

Overall: 6.1

Severity: 6.4

Lifecycle: 9.1

Popularity: 5.1

What is the BugZero Risk Score?

Cisco Integration

Learn more about where this data comes from

Cisco Integration

Bug Scrub Advisor

Streamline upgrades with automated vendor bug scrubs

Bug Scrub Advisor

BugZero Enterprise

Wish you caught this bug sooner? Get proactive today.

BugZero Enterprise

Bug Details

Description

Symptom

A router may experience packet drops due to Ipv4AclLookupMiss: Router#show platform hardware qfp active statistics drop ------------------------------------------------------------------------- Global Drop Stats Packets Octets ------------------------------------------------------------------------- Disabled 5 1033 EncapInvalid 659 39540 Ipv4AclLookupMiss 393 44802 <------ Ipv4NoAdj 26 3831 Ipv4NoRoute 6 510 Ipv4AclLookupMiss is usually associated with drops due to the implicit deny at the end of every ACL.

Conditions

A router has an ACL configured with an object-group like this: access-list 150 permit ip object-group RDPHosts object-group SERVERS1 access-list 150 permit tcp host X.X.X.X eq 22 object-group USERS_SSH access-list 150 permit ip any any

Workaround

If the "access-list " command is used to configure Object-group based ACL, once the configuration is over, drop into the extended ACL config mode and exit the config mode: ip access-list extended 150 exit This will cause the expanded ACLs to be programmed fresh in the TCAM. This also needs to be done after a reload with numbered OG-ACLs in older versions (without fix for CSCvm47690)

Further Problem Description

This issue will not be hit after the fix of CSCvm47690, where it forces the object-group configuration into the extended acl config mode. However, if you're upgrading from a version that does accept the object-group with the previous notation, the ACL will fail to program in the new version, causing packet drops.

Change history

2025-06-28 Added: 16.9.5

Relevant Products

Click on a version to see all relevant bugs

Affected versions:16.9.5

Fixed versions: 16.12.5, 16.12.5a, 16.12.5b, 16.12.6, 16.12.6a, 16.12.7, 16.12.8, 16.12.9, 16.9.6, 16.9.7, 16.9.8, 16.9.8a, 16.9.8b, 17.05.01c, 17.10.1, 17.10.1a, 17.10.1b, 17.11.1, 17.11.1a, 17.3.2, 17.3.2a, 17.3.3, 17.3.3a, 17.3.4, 17.3.4a, 17.3.4b, 17.3.4c, 17.3.5, 17.3.5a, 17.3.5b, 17.3.6, 17.3.7, 17.4.1, 17.4.1a, 17.4.1b, 17.4.1c, 17.4.2, 17.4.2a, 17.5.1, 17.5.1a, 17.5.1b, 17.5.1c, 17.6.1, 17.6.1a, 17.6.1w, 17.6.1x, 17.6.1y, 17.6.1z, 17.6.1z1, 17.6.2, 17.6.3, 17.6.3a, 17.6.4, 17.6.5, 17.7.1, 17.7.1a, 17.7.1b, 17.7.2, 17.8.1, 17.8.1a, 17.9.1, 17.9.1a, 17.9.1w, 17.9.1x, 17.9.1x1, 17.9.1y, 17.9.2, 17.9.2a, 17.9.3a, Amsterdam-17.3.2a, Bengaluru-17.4.1, Fuji-16.9.6, Gibraltar-16.12.5

Relevant Products

Click on a version to see all relevant bugs

Affected versions:16.9.5

Fixed versions: 16.12.5, 16.12.5a, 16.12.5b, 16.12.6, 16.12.6a, 16.12.7, 16.12.8, 16.12.9, 16.9.6, 16.9.7, 16.9.8, 16.9.8a, 16.9.8b, 17.05.01c, 17.10.1, 17.10.1a, 17.10.1b, 17.11.1, 17.11.1a, 17.3.2, 17.3.2a, 17.3.3, 17.3.3a, 17.3.4, 17.3.4a, 17.3.4b, 17.3.4c, 17.3.5, 17.3.5a, 17.3.5b, 17.3.6, 17.3.7, 17.4.1, 17.4.1a, 17.4.1b, 17.4.1c, 17.4.2, 17.4.2a, 17.5.1, 17.5.1a, 17.5.1b, 17.5.1c, 17.6.1, 17.6.1a, 17.6.1w, 17.6.1x, 17.6.1y, 17.6.1z, 17.6.1z1, 17.6.2, 17.6.3, 17.6.3a, 17.6.4, 17.6.5, 17.7.1, 17.7.1a, 17.7.1b, 17.7.2, 17.8.1, 17.8.1a, 17.9.1, 17.9.1a, 17.9.1w, 17.9.1x, 17.9.1x1, 17.9.1y, 17.9.2, 17.9.2a, 17.9.3a, Amsterdam-17.3.2a, Bengaluru-17.4.1, Fuji-16.9.6, Gibraltar-16.12.5

Top Cisco Defects

9.7Defect ID: CSCwq79831
Cisco Secure Firewall Adaptive Security Appliance Software and Secure Firewall Threat Defense Software VPN Web Server Remote Code Execution Vulnerability
9.7Defect ID: CSCwt50498
Cisco Catalyst SD-WAN Controller Authentication Bypass Vulnerability
9.7Defect ID: CSCws52722
Cisco Catalyst SD-WAN Controller Authentication Bypass Vulnerability
9.7Defect ID: CSCws61409
Live Logs Not Displaying on GUI Due to Fast Expansion of MNT Database
9.7Defect ID: CSCwa46963
Security: CVE-2021-44228 -> Log4j 2 Vulnerability

Ready to prevent the next vendor outage?

Links

Original Vendor Announcement

Cisco Integration

Learn more about where this data comes from

Cisco Integration

Bug Scrub Advisor

Streamline upgrades with automated vendor bug scrubs

Bug Scrub Advisor

BugZero Enterprise

Wish you caught this bug sooner? Get proactive today.

BugZero Enterprise