Re: Nexus 7700 ACL doesn't work

spmzt · ‎09-02-2018

Hi dear all,

recently I got an issue about NX-OS 8.2(1) in 7700 and would like to know some of the policy such as ACL or Route-map doesn't work very well and these rules couldn't filter or redirect traffic as my wish.

This is my configurations on F3 module:

ip access-list X
  1 permit icmp any any
route-map Y permit
  match ip address X
  set ip next-hop 172.16.0.2
interface vlan 1
  ip policy route-map Y

My rules were working until last night, but from today it broke down and don't match anything!

I checked TCAM utilization and it's very clean. I saw this log in my logging information about aclqos program:

entry number 5678: RPM-2-PPF_SES_VERIFY rpm [11700]  PPF session verify failed in client aclqos(Line card  5/VDC  NONE/UUID  366) with an error 0x4104001c(statistics configuration is not supported  with certain feature combinations

I'd appreciate it if someone could help me on this issue

ADP_89 · ‎09-04-2018

Hello,

Have you done any changes to the configuration? Do you have TCAM bank chaining enabled on that module? If you do you might be in the case where an ACL with statistics collection is applied to the same interface/same direction as the PBR policy, and that mix cannot be done.

sh run all | i "hardware access-list resource pooling"

ADP

spmzt · ‎10-01-2018

Thank you for your answer,

We don't have TCAM bank chaining on device. Do you have any other advice or idea?

ADP_89 · ‎10-01-2018

Please post the following output so we can see what's going on:

show hardware capacity forwarding

show hardware access-list resource utilization

show system internal access-list status

Thanks,

ADP

spmzt · ‎10-01-2018

here is my output

nazimkha · ‎10-01-2018

Did your aclqos process crash ?

Can you check the output of 'show cores' and verify is there any cores generated.

A similar defect triggered with ISSU

https://quickview.cloudapps.cisco.com/quickview/bug/CSCvd68248

spmzt · ‎10-02-2018

Thank you for your answer,

seems like some processes crashed, I upload my result on my devices.

ADP_89 · ‎10-02-2018

Looks like "show hardware capacity forwarding " is missing..

spmzt · ‎10-02-2018

Thats result is empty

spmzt · ‎10-03-2018

The previous output was on admin vdc, this one is for data vdc

ADP_89 · ‎10-03-2018

Can't see any problems here.

Have you tried to remove and apply the PBR again on the device?

ADP

spmzt · ‎10-06-2018

Yes, I tried to rename and reapply my PBR to the interface but did not work

ADP_89 · ‎10-06-2018

Ok one last think I'd like to check with you, can you post the " sh ip access-lists XXX summary "? Where XXX is the name of your ACL?

Thanks,

ADP