Symptom
Removing an IPv6 egress ACL; modifying the IPv6 ACL; and reapplying in a single commit may result in traffic being dropped even though there is a matching ACE entry programmed.
Conditions
Occurs after modifying the IPV6 ACL (first deleting the entire ACL and then re-create the ACL with modification(removal/addition) in a single commit.
Impacts only IPv6 egress ACL. IPv6 ingress and IPv4 ACLs not affected.
Affects all DNX and Qumran based products (NCS55xx, NCS-540x, NCS-560x based platforms)
When reprogramming the IPv6 ACL if it fails in the logs of show ofa trace:
Failed to add entry.... in DB INGRESS_ACL_L3_IPV6 on unit……
Workaround
When making modifications can either:
1) Delete the IPv6 ACL; commit; apply modified IPv6 ACL; commit; to prevent hitting this issue.
2) You could also remove all the ACLs attached to the interface and reapply at the interface; after having made the modifications and saw the error.
Further Problem Description
*PSIRT Evaluation:*
The Cisco PSIRT has evaluated this issue and determined that it does not have a security impact that requires PSIRT ownership or involvement. This issue will be addressed via normal resolution channels. There is no PSIRT restriction that prohibits making this bug visible.
If you believe that there is new information that would cause a change in the severity of this issue, please contact psirt@cisco.com for another evaluation.
Additional information on Cisco's security vulnerability policy can be found at the following URL:
https://sec.cloudapps.cisco.com/security/center/resources/security_vulnerability_policy.html
