OPERATIONAL DEFECT DATABASE
...
...
After enabling strict URPF for both IPv4 and IPv6, the commit will fail, but leave IPv6 URPF configuration in place which cannot be removed. For example: Applying the following configuration ``` config interface FH0/0/0/14 ipv4 verify unicast source reachable-via rx ipv6 verify unicast source reachable-via rx commit show-error ``` The commit will fail with the following error: ``` RP/0/RP0/CPU0:core1.bldc(config-if)#commit show-error Thu Apr 14 14:36:16.630 UTC % Failed to commit one or more configuration items during a pseudo-atomic operation. All changes made have been reverted. !! SEMANTIC ERRORS: This configuration was rejected by !! the system due to semantic errors. The individual !! errors with each failed configuration command can be !! found below. interface FourHundredGigE0/0/0/14 no ipv6 verify unicast source reachable-via rx !!% The process 'ipv4_ma' rejected the operation but returned no error ! end ```
On a 8201 device running 7.3.2, configuring uRPF does not work. Even using the configuration directly from available documentation, the configuration fails with the same error, which also is not very detailed or informative: DOCUMENTATION: https://www.cisco.com/c/en/us/td/docs/iosxr/cisco8000/security/73x/b-system-security-cg-cisco8000-73x/m-implementing-urpf-8k.html#id_56010 https://www.cisco.com/c/en/us/td/docs/iosxr/cisco8000/general/73x/release/notes/b-release-notes-cisco8k-r7315.html FROM CUSTOMER DEVICE: config interface FH0/0/0/14 ipv4 verify unicast source reachable-via rx ipv6 verify unicast source reachable-via rx commit show-error ``` The commit will fail with the following error: ``` RP/0/RP0/CPU0:core1.bldc(config-if)#commit show-error Thu Apr 14 14:36:16.630 UTC % Failed to commit one or more configuration items during a pseudo-atomic operation. All changes made have been reverted. !! SEMANTIC ERRORS: This configuration was rejected by !! the system due to semantic errors. The individual !! errors with each failed configuration command can be !! found below. interface FourHundredGigE0/0/0/14 no ipv6 verify unicast source reachable-via rx !!% The process 'ipv4_ma' rejected the operation but returned no error ! end ``` After aborting the commit, the following configuration will be left over: ``` RP/0/RP0/CPU0:core1.bldc#show run formal | inc verify interface FourHundredGigE0/0/0/14 ipv6 verify unicast source reachable-via rx ``` Attempts to remove this configuration will fail with the same message from `ipv4_ma` process. FROM TCE LAB DEVICE: RP/0/RP0/CPU0:8201-B(config-if)#show config Thu Apr 14 16:41:39.324 UTC Building configuration... !! IOS XR Configuration 7.3.2 interface FourHundredGigE0/0/0/5 no ipv4 verify unicast source reachable-via rx ipv4 verify unicast source reachable-via any ! end RP/0/RP0/CPU0:8201-B(config-if)#commit Thu Apr 14 16:41:43.623 UTC % Failed to commit one or more configuration items during a pseudo-atomic operation. All changes made have been reverted. Please issue 'show configuration failed [inheritance]' from this session to view the errors RP/0/RP0/CPU0:8201-B(config-if)#show configuration failed Thu Apr 14 16:41:50.553 UTC !! SEMANTIC ERRORS: This configuration was rejected by !! the system due to semantic errors. The individual !! errors with each failed configuration command can be !! found below. interface FourHundredGigE0/0/0/5 ipv4 verify unicast source reachable-via any !!% The process 'ipv4_ma' rejected the operation but returned no error ! end RP/0/RP0/CPU0:8201-B(config-if)#show config Thu Apr 14 16:44:25.239 UTC Building configuration... !! IOS XR Configuration 7.3.2 interface FourHundredGigE0/0/0/5 no ipv4 verify unicast source reachable-via any ipv4 verify unicast source reachable-via any allow-default ! end RP/0/RP0/CPU0:8201-B(config-if)#commit Thu Apr 14 16:44:28.933 UTC % Failed to commit one or more configuration items during a pseudo-atomic operation. All changes made have been reverted. Please issue 'show configuration failed [inheritance]' from this session to view the errors RP/0/RP0/CPU0:8201-B(config-if)#show configuration failed Thu Apr 14 16:44:35.949 UTC !! SEMANTIC ERRORS: This configuration was rejected by !! the system due to semantic errors. The individual !! errors with each failed configuration command can be !! found below. interface FourHundredGigE0/0/0/5 ipv4 verify unicast source reachable-via any allow-default !!% The process 'ipv4_ma' rejected the operation but returned no error ! end
None
The uRPF documentation and release notes for the 8000 series advises that the configuration is supported, yet the customer no longer can configure it, and is left with a stale configuration that cannot be removed from the device, besides the fact the TCE also can't configure it in a lab device either.
Cisco Integration
Learn more about where this data comes from
Bug Scrub Advisor
Streamline upgrades with automated vendor bug scrubs
BugZero Enterprise
Wish you caught this bug sooner? Get proactive today.
