cancel
Showing results for 
Search instead for 
Did you mean: 
cancel
189
Views
0
Helpful
0
Replies
Highlighted

ACL feature 'established' no more working after firmware upgrade on Cisco Nexus 3500

After the firmware update (from version 6.0(2)A8(8) to version 7.0(3)I7(4)) on a Cisco Nexus 3500 (N3K-C3548P-10GX) Layer 3 switch the following type of ACL statements (IPv4) is no longer working:
  permit tcp x.x.x.x/xx y.y.y.y/yy established

 

TCP dump on the client before the firmware upgrade (SYN - SYN/ACK - ACK: the session could be established):
  15:03:28.165340 IP <Client IP>.55439 > <Server IP>.1502: S 3329876422:3329876422(0) win 5840 <mss 1460,sackOK,timestamp 2805281299 0,nop,wscale 7>
  15:03:28.165814 IP <Server IP>.1502 > <Client IP>.55439: S 465804522:465804522(0) ack 3329876423 win 65160 <mss 1460,nop,wscale 0,nop,nop,timestamp 1538332891 2805281299>
  15:03:28.165824 IP <Client IP>.55439 > <Server IP>.1502: . ack 1 win 46 <nop,nop,timestamp 2805281299 1538332891>

 

TCP dump on the client after the firmware upgrade (the 'SYN/ACK' packet is no more coming back from the server):
  15:09:31.343427 IP <Client IP>.55442 > <Server IP>.1502: S 3353109709:3353109709(0) win 5840 <mss 1460,sackOK,timestamp 2805644472 0,nop,wscale 7>
  15:09:34.343304 IP <Client IP>.55442 > <Server IP>.1502: S 3353109709:3353109709(0) win 5840 <mss 1460,sackOK,timestamp 2805647472 0,nop,wscale 7>
  15:09:40.343400 IP <Client IP>.55442 > <Server IP>.1502: S 3353109709:3353109709(0) win 5840 <mss 1460,sackOK,timestamp 2805653472 0,nop,wscale 7>
  15:09:52.343956 IP <Client IP>.55442 > <Server IP>.1502: S 3353109709:3353109709(0) win 5840 <mss 1460,sackOK,timestamp 2805665472 0,nop,wscale 7>

 

The 'SYN/ACK' packet from the server still seems to be accepted (ACE Action: Permit) by the ACL statement 'permit tcp <Server IP network> <Client IP network> established log':
  2018 Aug 22 15:11:11.691 <Layer 3 switch> %ACLLOG-5-ACLLOG_FLOW_INTERVAL: Src IP: <Server IP>, Dst IP: <Client IP>, Src Port: 1502, Dst Port: 55442, Src Intf: Ethernet1/24, Protocol: "TCP"(6), ACL Name: MY-ACL, ACE Action: Permit, Appl Intf: Vlan525, Hit-count: 10

 

However, the 'SYN/ACK' packet is no more forwarded to the client.

 

Does anyone know if this is a bug in the new firmware?

Everyone's tags (5)
CreatePlease to create content
Content for Community-Ad
August's Community Spotlight Awards