Bug when using the ISE downloadable ACL Check syntax feature

davedvo — Wed, 18 Aug 2021 20:36:16 GMT

Hi Cisco Community,

I have recently noticed that there is a bug with my version of Cisco ISE at 2.7 patch 4, where I get the following message when I am trying to check the syntax of one of my Downloadable ACLs:

java.lang.ArrayIndexOutOfBoundsException:
4 at com.cisco.cpm.admin.utils.DACLValidator.isV
alidIpv4(DACLValidator.java:189) at com.cisco.cpm.admin.utils.DACLValidator.val
idateSubnetMasksIpv4(DACLValidator.java:171
) at com.cisco.cpm.admin.utils.DACLValidator.val
idateSubnetMasksForVersions(DACLValidator.j
ava:144) at com.cisco.cpm.admin.utils.DACLValidator.val
idate(DACLValidator.java:60) at com.cisco.cpm.admin.nsf.action.NSFDaclActio
n.parseDacl(NSFDaclAction.java:278) at sun.reflect.NativeMethodAccessorImpl.invoke
0(Native Method) at sun.reflect.NativeMethodAccessorImpl.invoke
(NativeMethodAccessorImpl.java:62) at sun.reflect.DelegatingMethodAccessorImpl.in
voke(DelegatingMethodAccessorImpl.java:43)
at java.lang.reflect.Method.invoke(Method.java
:498) at com.cisco.cpm.admin.infra.spring.ISEAdminCo
ntroller.performExecution(ISEAdminControlle
r.java:155) at com.cisco.cpm.admin.infra.spring.ISEAdminCo
ntroller.handleRequest(ISEAdminController.jCisco ISE, Identity Services Engine (ISE)
ava:121) at org.springframework.web.servlet.mvc.SimpleC
ontrollerHandlerAdapter.handle(SimpleContro
llerHandlerAdapter.java:52) at org.springframework.web.servlet.DispatcherS
ervlet.doDispatch(DispatcherServlet.java:10
38) at org.springframework.web.servlet.DispatcherS
ervlet.doService(DispatcherServlet.java:942
) at org.springframework.web.servlet.FrameworkSe
rvlet.processRequest(FrameworkServlet.java:
1005) at org.springframework.web.servlet.FrameworkSe
rvlet.doPost(FrameworkServlet.java:908) at
javax.servlet.http.HttpServlet.service(Http
Servlet.java:660) at org.springframework.web.servlet.FrameworkSe
rvlet.service(FrameworkServlet.java:882) a
t javax.servlet.http.HttpServlet.service(Http
Servlet.java:741) at org.apache.catalina.core.ApplicationFilterC
hain.internalDoFilter(ApplicationFilterChai
n.java:231) at org.apache.catalina.core.ApplicationFilterC
hain.doFilter(ApplicationFilterChain.java:1
66) at org.apache.tomcat.websocket.server.WsFilter
.doFilter(WsFilter.java:53) at org.apache.catalina.core.ApplicationFilterC
hain.internalDoFilter(ApplicationFilterChai
n.java:193) at org.apache.catalina.core.ApplicationFilterC
hain.doFilter(ApplicationFilterChain.java:1
66) at com.cisco.cpm.admin.infra.utils.UserInfoFil
ter.doFilter(UserInfoFilter.java:152) at
org.apache.catalina.core.ApplicationFilterC
hain.internalDoFilter(ApplicationFilterChai
n.java:193) at org.apache.catalina.core.ApplicationFilterC
hain.doFilter(ApplicationFilterChain.java:1
66) at com.cisco.cpm.admin.infra.utils.Navigationa
lViewPreferencesFilter.doFilter(Navigationa
lViewPreferencesFilter.java:99) at org.apache.catalina.core.ApplicationFilterC
hain.internalDoFilter(ApplicationFilterChai
n.java:193) at org.apache.catalina.core.ApplicationFilterC
hain.doFilter(ApplicationFilterChain.java:1
66) at org.apache.catalina.core.ApplicationDispatc
her.invoke(ApplicationDispatcher.java:712)
at org.apache.catalina.core.ApplicationDispatc
her.processRequest(ApplicationDispatcher.ja
va:459) at org.apache.catalina.core.ApplicationDispatc
her.doForward(ApplicationDispatcher.java:38
4) at org.apache.catalina.core.ApplicationDispatc
her.forward(ApplicationDispatcher.java:312)
at com.cisco.cpm.admin.infra.utils.WebRequestF
orwardingFilter.doFilter(WebRequestForwardi
ngFilter.java:43) at org.apache.catalina.core.ApplicationFilterC
hain.internalDoFilter(ApplicationFilterChai
n.java:193) at org.apache.catalina.core.ApplicationFilterC
hain.doFilter(ApplicationFilterChain.java:1
66) at org.owasp.csrfguard.CsrfGuardFilter.doFilte
r(CsrfGuardFilter.java:88) at org.apache.catalina.core.ApplicationFilterC
hain.internalDoFilter(ApplicationFilterChai
n.java:193) at org.apache.catalina.core.ApplicationFilterC
hain.doFilter(ApplicationFilterChain.java:1
66) at com.cisco.cpm.admin.infra.utils.WebCleanCac
heFilter.doFilter(WebCleanCacheFilter.java:
42) at org.apache.catalina.core.ApplicationFilterC
hain.internalDoFilter(ApplicationFilterChai
n.java:193) at org.apache.catalina.core.ApplicationFilterC
hain.doFilter(ApplicationFilterChain.java:1
66) at com.cisco.cpm.rbacfilter.AccessCheckFilter.
doFilter(AccessCheckFilter.java:75) at org.apache.catalina.core.ApplicationFilterC
hain.internalDoFilter(ApplicationFilterChai
n.java:193) at org.apache.catalina.core.ApplicationFilterC
hain.doFilter(ApplicationFilterChain.java:1
66) at com.cisco.cpm.admin.infra.utils.LogFilter.d
oFilter(LogFilter.java:83) at org.apache.catalina.core.ApplicationFilterC
hain.internalDoFilter(ApplicationFilterChai
n.java:193) at org.apache.catalina.core.ApplicationFilterC
hain.doFilter(ApplicationFilterChain.java:1
66) at com.cisco.cpm.admin.infra.utils.RequestHead
erRefererValidationFilter.processRequest(Re
questHeaderRefererValidationFilter.java:53)
at com.cisco.cpm.admin.infra.utils.RequestHead
erRefererValidationFilter.doFilter(RequestH
eaderRefererValidationFilter.java:39) at
org.apache.catalina.core.ApplicationFilterC
hain.internalDoFilter(ApplicationFilterChai
n.java:193) at org.apache.catalina.core.ApplicationFilterC
hain.doFilter(ApplicationFilterChain.java:1
66) at com.cisco.cpm.admin.infra.utils.RequestHead
erValidationFilter.doFilter(RequestHeaderVa
lidationFilter.java:138) at org.apache.catalina.core.ApplicationFilterC
hain.internalDoFilter(ApplicationFilterChai
n.java:193) at org.apache.catalina.core.ApplicationFilterC
hain.doFilter(ApplicationFilterChain.java:1
66) at com.cisco.cpm.admin.infra.utils.RequestHead
erSanityFilter.doFilter(RequestHeaderSanity
Filter.java:115) at org.apache.catalina.core.ApplicationFilterC
hain.internalDoFilter(ApplicationFilterChai
n.java:193) at org.apache.catalina.core.ApplicationFilterC
hain.doFilter(ApplicationFilterChain.java:1
66) at com.cisco.cpm.admin.infra.utils.UserInfoFil
ter.doFilter(UserInfoFilter.java:152) at
org.apache.catalina.core.ApplicationFilterC
hain.internalDoFilter(ApplicationFilterChai
n.java:193) at org.apache.catalina.core.ApplicationFilterC
hain.doFilter(ApplicationFilterChain.java:1
66) at com.cisco.cpm.admin.xss.XssCheckFilter.doFi
lter(XssCheckFilter.java:133) at org.apache.catalina.core.ApplicationFilterC
hain.internalDoFilter(ApplicationFilterChai
n.java:193) at org.apache.catalina.core.ApplicationFilterC
hain.doFilter(ApplicationFilterChain.java:1
66) at com.cisco.cpm.admin.infra.utils.LoginCheckF
ilter.doFilter(LoginCheckFilter.java:364)
at org.apache.catalina.core.ApplicationFilterC
hain.internalDoFilter(ApplicationFilterChai
n.java:193) at org.apache.catalina.core.ApplicationFilterC
hain.doFilter(ApplicationFilterChain.java:1
66) at com.cisco.cpm.admin.infra.utils.ParamFilter
.doFilter(ParamFilter.java:72) at org.apache.catalina.core.ApplicationFilterC
hain.internalDoFilter(ApplicationFilterChai
n.java:193) at org.apache.catalina.core.ApplicationFilterC
hain.doFilter(ApplicationFilterChain.java:1
66) at com.cisco.cpm.admin.infra.utils.CommonReque
stParameterFilter.doFilter(CommonRequestPar
ameterFilter.java:69) at org.apache.catalina.core.ApplicationFilterC
hain.internalDoFilter(ApplicationFilterChai
n.java:193) at org.apache.catalina.core.ApplicationFilterC
hain.doFilter(ApplicationFilterChain.java:1
66) at com.cisco.cpm.admin.infra.utils.CharacterEn
codingFilter.doFilter(CharacterEncodingFilt
er.java:122) at org.apache.catalina.core.ApplicationFilterC
hain.internalDoFilter(ApplicationFilterChai
n.java:193) at org.apache.catalina.core.ApplicationFilterC
hain.doFilter(ApplicationFilterChain.java:1
66) at com.cisco.cpm.admin.infra.utils.Navigationa
lViewPreferencesFilter.doFilter(Navigationa
lViewPreferencesFilter.java:99) at org.apache.catalina.core.ApplicationFilterC
hain.internalDoFilter(ApplicationFilterChai
n.java:193) at org.apache.catalina.core.ApplicationFilterC
hain.doFilter(ApplicationFilterChain.java:1
66) at com.cisco.ise.tomcat.xss.AdditionalXssCheck
Filter.doFilter(AdditionalXssCheckFilter.ja
va:54) at org.apache.catalina.core.ApplicationFilterC
hain.internalDoFilter(ApplicationFilterChai
n.java:193) at org.apache.catalina.core.ApplicationFilterC
hain.doFilter(ApplicationFilterChain.java:1
66) at com.cisco.ise.tomcat.xss.FilePathCheckFilte
r.doFilter(FilePathCheckFilter.java:72) at
org.apache.catalina.core.ApplicationFilterC
hain.internalDoFilter(ApplicationFilterChai
n.java:193) at org.apache.catalina.core.ApplicationFilterC
hain.doFilter(ApplicationFilterChain.java:1
66) at com.cisco.cpm.admin.infra.utils.ResponseHea
dersFilter.doFilter(ResponseHeadersFilter.j
ava:63) at org.apache.catalina.core.ApplicationFilterC
hain.internalDoFilter(ApplicationFilterChai
n.java:193) at org.apache.catalina.core.ApplicationFilterC
hain.doFilter(ApplicationFilterChain.java:1
66) at com.cisco.cpm.admin.infra.utils.RequestDeco
dingFilter.executeNextFilter(RequestDecodin
gFilter.java:142) at com.cisco.cpm.admin.infra.utils.RequestDeco
dingFilter.doFilter(RequestDecodingFilter.j
ava:93) at org.apache.catalina.core.ApplicationFilterC
hain.internalDoFilter(ApplicationFilterChai
n.java:193) at org.apache.catalina.core.ApplicationFilterC
hain.doFilter(ApplicationFilterChain.java:1
66) at org.apache.catalina.core.StandardWrapperVal
ve.invoke(StandardWrapperValve.java:200) a
t org.apache.catalina.core.StandardContextVal
ve.invoke(StandardContextValve.java:96) at
org.apache.catalina.authenticator.Authentic
atorBase.invoke(AuthenticatorBase.java:607)
at org.apache.catalina.valves.RequestFilterVal
ve.process(RequestFilterValve.java:348) at
org.apache.catalina.valves.LocalAddrValve.i
nvoke(LocalAddrValve.java:51) at org.apache.catalina.core.StandardHostValve.
invoke(StandardHostValve.java:139) at org.apache.catalina.valves.ErrorReportValve
.invoke(ErrorReportValve.java:92) at com.cisco.ise.tomcat.valves.GuestVlanUrlRed
irectValve.invoke(GuestVlanUrlRedirectValve
.java:80) at org.apache.catalina.authenticator.SingleSig
nOn.invoke(SingleSignOn.java:240) at org.apache.catalina.core.StandardEngineValv
e.invoke(StandardEngineValve.java:74) at
org.apache.catalina.valves.MethodsValve.inv
oke(MethodsValve.java:52) at org.apache.catalina.connector.CoyoteAdapter
.service(CoyoteAdapter.java:343) at org.apache.coyote.http11.Http11Processor.se
rvice(Http11Processor.java:408) at org.apache.coyote.AbstractProcessorLight.pr
ocess(AbstractProcessorLight.java:66) at
org.apache.coyote.AbstractProtocol$Connecti
onHandler.process(AbstractProtocol.java:834
) at org.apache.tomcat.util.net.NioEndpoint$Sock
etProcessor.doRun(NioEndpoint.java:1415) a
t org.apache.tomcat.util.net.SocketProcessorB
ase.run(SocketProcessorBase.java:49) at java.util.concurrent.ThreadPoolExecutor.run
Worker(ThreadPoolExecutor.java:1149) at java.util.concurrent.ThreadPoolExecutor$Wor
ker.run(ThreadPoolExecutor.java:624) at org.apache.tomcat.util.threads.TaskThread$W
rappingRunnable.run(TaskThread.java:61) at
java.lang.Thread.run(Thread.java:748)

Is there currently any workarounds to this issue that anyone has had success with? It seems to only occur for ACLs that have the correct syntax.

Re: Bug when using the ISE downloadable ACL Check syntax feature

Dustin Anderson — Wed, 18 Aug 2021 20:50:05 GMT

I have a test ISE with 2.7 patch 4 and have no issues. When we originally went to 2.6, I had issues as the dACLs now supports IPv6. I had to recreate dACLs specifying IPv4 to get them to validate and work. old dACLs had the option to specify greyed out.

Re: Bug when using the ISE downloadable ACL Check syntax feature

Greg Gibbs — Thu, 19 Aug 2021 00:25:49 GMT

Those are Java errors referencing a lot of internal processes used by ISE. If you've already done the standard troubleshooting for client Java issues (cleared cache, tried another browser, reinstalled the latest version of Java, etc.), I would suggest opening a TAC case to investigate the issue further.

Re: Bug when using the ISE downloadable ACL Check syntax feature

hslai — Sun, 22 Aug 2021 04:43:13 GMT

Pick Agnostic as the IP version, in order to avoid syntax checks.

topic Bug when using the ISE downloadable ACL Check syntax feature in Network Access Control

Bug when using the ISE downloadable ACL Check syntax feature

Re: Bug when using the ISE downloadable ACL Check syntax feature

Re: Bug when using the ISE downloadable ACL Check syntax feature

Re: Bug when using the ISE downloadable ACL Check syntax feature