ACL feature 'established' no more working after firmware upgrade on Cisco Nexus 3500
After the firmware update (from version 6.0(2)A8(8) to version 7.0(3)I7(4)) on a Cisco Nexus 3500 (N3K-C3548P-10GX) Layer 3 switch the following type of ACL statements (IPv4) is no longer working: permit tcp x.x.x.x/xx y.y.y.y/yy established
TCP dump on the client before the firmware upgrade (SYN - SYN/ACK - ACK: the session could be established): 15:03:28.165340 IP <Client IP>.55439 > <Server IP>.1502: S 3329876422:3329876422(0) win 5840 <mss 1460,sackOK,timestamp 2805281299 0,nop,wscale 7> 15:03:28.165814 IP <Server IP>.1502 > <Client IP>.55439: S 465804522:465804522(0) ack 3329876423 win 65160 <mss 1460,nop,wscale 0,nop,nop,timestamp 1538332891 2805281299> 15:03:28.165824 IP <Client IP>.55439 > <Server IP>.1502: . ack 1 win 46 <nop,nop,timestamp 2805281299 1538332891>
TCP dump on the client after the firmware upgrade (the 'SYN/ACK' packet is no more coming back from the server): 15:09:31.343427 IP <Client IP>.55442 > <Server IP>.1502: S 3353109709:3353109709(0) win 5840 <mss 1460,sackOK,timestamp 2805644472 0,nop,wscale 7> 15:09:34.343304 IP <Client IP>.55442 > <Server IP>.1502: S 3353109709:3353109709(0) win 5840 <mss 1460,sackOK,timestamp 2805647472 0,nop,wscale 7> 15:09:40.343400 IP <Client IP>.55442 > <Server IP>.1502: S 3353109709:3353109709(0) win 5840 <mss 1460,sackOK,timestamp 2805653472 0,nop,wscale 7> 15:09:52.343956 IP <Client IP>.55442 > <Server IP>.1502: S 3353109709:3353109709(0) win 5840 <mss 1460,sackOK,timestamp 2805665472 0,nop,wscale 7>
The 'SYN/ACK' packet from the server still seems to be accepted (ACE Action: Permit) by the ACL statement 'permit tcp <Server IP network> <Client IP network> established log': 2018 Aug 22 15:11:11.691 <Layer 3 switch> %ACLLOG-5-ACLLOG_FLOW_INTERVAL: Src IP: <Server IP>, Dst IP: <Client IP>, Src Port: 1502, Dst Port: 55442, Src Intf: Ethernet1/24, Protocol: "TCP"(6), ACL Name: MY-ACL, ACE Action: Permit, Appl Intf: Vlan525, Hit-count: 10
However, the 'SYN/ACK' packet is no more forwarded to the client.
Does anyone know if this is a bug in the new firmware?
I'm having trouble performing a baremetal install of VIRL 1.6.65 on my Dell Server. I keep getting " failed Executing 'grub-install /dev/nvme0n1'. failed. this is a fatal error" I suspect it has something to do with the Partition Table: gpt.An...
I would like to introduce you to a new process flow called Intelligent RMA Experience (IRE), which is available for a select few product families.
As part of this process, we would like to leverage the CISCO Intellectual capital we have build over...
Welcome to Global Order Management RMA One Source Forum!
The objective of Global Order Management is to ensure every RMA (Returned Material Authorization) is delivered to our customers within agreed commitment. We do it by providing an...
The newly redesigned Demo Zone on Cisco.com is open for business. If you're not sure how a Cisco product or software will support your business and technological needs - learn about it here first in a variety of formats from podcasts to product walk thro...
THE CHALLENGEOld Dominion Freight Line had a unique dual-scope requirement to install PeopleNet On-Board Communication Systems in approximately 4,000 tractors across 208 locations as well as 140 Cisco Access Points at 92 locations. The sites for both inst...