Re: CSCvz32377 - Port unauthorized due to ACL failure

hakkipeddi · ‎11-08-2022

Has anybody experienced this on higher versions? I see to replicate this issue on 17.3.5, Cisco 9300 switch with 28 lines of DACL - which shows empty after successful authentication.

ammahend · ‎11-08-2022

haven't experienced this, when you "show authentication session interface xxxx detail" and "show ip access-list interface xxxx", is the ACL not showing under interface or the ACL is not even pushed as part of authorization ?

-hope this helps-

hakkipeddi · ‎11-08-2022

I see the ACL is pushed and applied to the interface, it's just empty.

Server Policies:
ACS ACL: xACSACLx-IP-DACL_touch_panel-3194-38

Method status list:
Method State
dot1x Stopped
mab Authc Success

hostname#
hostname#sh ip access-lists xACSACLx-IP-DACL_touch_panel-3194-38

hostname#

The above output was when I had a DACL with 28 lines lines/entries. I shorted the DACL policy to 26 lines, bounced the port, and I see the DACL correctly applied.

ammahend · ‎11-09-2022

hmm, its not uncommon for the older bugs to resurface on new code. ideally it should support upto 64 entries, you should talk to tac.

-hope this helps-

ImObiWanKenobi · ‎11-16-2022

We are hitting this bug also. Anybody know of a fixed version in the 16.X train for 3560 switches?

ImObiWanKenobi · ‎11-16-2022

I mean 3650 switches.

stefanwillumeit · ‎08-11-2023

Same here, IOS 16.12.7

Ciscouser1! · ‎09-13-2023

Same issue here. On 17.6.5.

%SESSION_MGR-5-FAIL: Switch 1 R0/0: sessmgrd: Authorization failed or unapplied for client on Interface GigabitEthernet1/0/27 AuditSessionID . Failure Reason: ACL Failure

Anybody ever find a solution?

Ciscouser1! · ‎01-10-2024

Not sure if this helps anyone but my issue was with the dACL in ISE where I had a duplicate entry for a host. The 9200 switch platform did not know how to read the dACL due to the second entry and therefore displayed the error. Once I remove the duplicate entry and saved the dACL it worked. Hope this helps someone.

ImObiWanKenobi · ‎01-10-2024

We eventually solved our issue. It was caused by the ACL name being too long and our problem was permanently resolved after that change.

hakkipeddi · ‎05-23-2024

can you tell us how short you renamed the ACL? Any particular character limit you seem to be working? I will try to do this in my environment now.

ImObiWanKenobi · ‎05-23-2024

I think the limit was 32 but I don't remember now. How did it go and did it resolve the issue?

hakkipeddi · ‎05-23-2024

So I just double-checked. We push a lot of DACL's via our NAC device. Unique DACL for every device type. The actual names of the DACL's for others are longer than the problematic one and work fine. The only difference is that the rest are less than 28 lines in length.

Unfortunately, there isn't much scope to trim down this DACL to <28 lines. But just for testing, when I bring to 27 lines, works like a charm.

carlose7vj · ‎02-14-2024

Folks, we had similar issue and we fixed it by using IOS-XE 16.9.5

hakkipeddi · ‎05-23-2024

I'm using 16.9.8 on C3650 and 17.6.1 on C9400's. Still having the same problem