Buy or Renew
Buy or Renew
Duo Security forums now LIVE! Get answers to all your Duo Security questions. Learn more
cancel
Turn on suggestions
Auto-suggest helps you quickly narrow down your search results by suggesting possible matches as you type.
Showing results for 
Search instead for 
Did you mean: 
cancel
Start a conversation
1491
Views
0
Helpful
3
Replies

Bug when using the ISE downloadable ACL Check syntax feature

davedvo
Level 1
Level 1

‎08-18-2021 01:36 PM

Hi Cisco Community,

I have recently noticed that there is a bug with my version of Cisco ISE at 2.7 patch 4, where I get the following message when I am trying to check the syntax of one of my Downloadable ACLs:

 

java.lang.ArrayIndexOutOfBoundsException:
4 at com.cisco.cpm.admin.utils.DACLValidator.isV
alidIpv4(DACLValidator.java:189) at com.cisco.cpm.admin.utils.DACLValidator.val
idateSubnetMasksIpv4(DACLValidator.java:171
) at com.cisco.cpm.admin.utils.DACLValidator.val
idateSubnetMasksForVersions(DACLValidator.j
ava:144) at com.cisco.cpm.admin.utils.DACLValidator.val
idate(DACLValidator.java:60) at com.cisco.cpm.admin.nsf.action.NSFDaclActio
n.parseDacl(NSFDaclAction.java:278) at sun.reflect.NativeMethodAccessorImpl.invoke
0(Native Method) at sun.reflect.NativeMethodAccessorImpl.invoke
(NativeMethodAccessorImpl.java:62) at sun.reflect.DelegatingMethodAccessorImpl.in
voke(DelegatingMethodAccessorImpl.java:43)
at java.lang.reflect.Method.invoke(Method.java
:498) at com.cisco.cpm.admin.infra.spring.ISEAdminCo
ntroller.performExecution(ISEAdminControlle
r.java:155) at com.cisco.cpm.admin.infra.spring.ISEAdminCo
ntroller.handleRequest(ISEAdminController.jCisco ISE, Identity Services Engine (ISE)
ava:121) at org.springframework.web.servlet.mvc.SimpleC
ontrollerHandlerAdapter.handle(SimpleContro
llerHandlerAdapter.java:52) at org.springframework.web.servlet.DispatcherS
ervlet.doDispatch(DispatcherServlet.java:10
38) at org.springframework.web.servlet.DispatcherS
ervlet.doService(DispatcherServlet.java:942
) at org.springframework.web.servlet.FrameworkSe
rvlet.processRequest(FrameworkServlet.java:
1005) at org.springframework.web.servlet.FrameworkSe
rvlet.doPost(FrameworkServlet.java:908) at
javax.servlet.http.HttpServlet.service(Http
Servlet.java:660) at org.springframework.web.servlet.FrameworkSe
rvlet.service(FrameworkServlet.java:882) a
t javax.servlet.http.HttpServlet.service(Http
Servlet.java:741) at org.apache.catalina.core.ApplicationFilterC
hain.internalDoFilter(ApplicationFilterChai
n.java:231) at org.apache.catalina.core.ApplicationFilterC
hain.doFilter(ApplicationFilterChain.java:1
66) at org.apache.tomcat.websocket.server.WsFilter
.doFilter(WsFilter.java:53) at org.apache.catalina.core.ApplicationFilterC
hain.internalDoFilter(ApplicationFilterChai
n.java:193) at org.apache.catalina.core.ApplicationFilterC
hain.doFilter(ApplicationFilterChain.java:1
66) at com.cisco.cpm.admin.infra.utils.UserInfoFil
ter.doFilter(UserInfoFilter.java:152) at
org.apache.catalina.core.ApplicationFilterC
hain.internalDoFilter(ApplicationFilterChai
n.java:193) at org.apache.catalina.core.ApplicationFilterC
hain.doFilter(ApplicationFilterChain.java:1
66) at com.cisco.cpm.admin.infra.utils.Navigationa
lViewPreferencesFilter.doFilter(Navigationa
lViewPreferencesFilter.java:99) at org.apache.catalina.core.ApplicationFilterC
hain.internalDoFilter(ApplicationFilterChai
n.java:193) at org.apache.catalina.core.ApplicationFilterC
hain.doFilter(ApplicationFilterChain.java:1
66) at org.apache.catalina.core.ApplicationDispatc
her.invoke(ApplicationDispatcher.java:712)
at org.apache.catalina.core.ApplicationDispatc
her.processRequest(ApplicationDispatcher.ja
va:459) at org.apache.catalina.core.ApplicationDispatc
her.doForward(ApplicationDispatcher.java:38
4) at org.apache.catalina.core.ApplicationDispatc
her.forward(ApplicationDispatcher.java:312)
at com.cisco.cpm.admin.infra.utils.WebRequestF
orwardingFilter.doFilter(WebRequestForwardi
ngFilter.java:43) at org.apache.catalina.core.ApplicationFilterC
hain.internalDoFilter(ApplicationFilterChai
n.java:193) at org.apache.catalina.core.ApplicationFilterC
hain.doFilter(ApplicationFilterChain.java:1
66) at org.owasp.csrfguard.CsrfGuardFilter.doFilte
r(CsrfGuardFilter.java:88) at org.apache.catalina.core.ApplicationFilterC
hain.internalDoFilter(ApplicationFilterChai
n.java:193) at org.apache.catalina.core.ApplicationFilterC
hain.doFilter(ApplicationFilterChain.java:1
66) at com.cisco.cpm.admin.infra.utils.WebCleanCac
heFilter.doFilter(WebCleanCacheFilter.java:
42) at org.apache.catalina.core.ApplicationFilterC
hain.internalDoFilter(ApplicationFilterChai
n.java:193) at org.apache.catalina.core.ApplicationFilterC
hain.doFilter(ApplicationFilterChain.java:1
66) at com.cisco.cpm.rbacfilter.AccessCheckFilter.
doFilter(AccessCheckFilter.java:75) at org.apache.catalina.core.ApplicationFilterC
hain.internalDoFilter(ApplicationFilterChai
n.java:193) at org.apache.catalina.core.ApplicationFilterC
hain.doFilter(ApplicationFilterChain.java:1
66) at com.cisco.cpm.admin.infra.utils.LogFilter.d
oFilter(LogFilter.java:83) at org.apache.catalina.core.ApplicationFilterC
hain.internalDoFilter(ApplicationFilterChai
n.java:193) at org.apache.catalina.core.ApplicationFilterC
hain.doFilter(ApplicationFilterChain.java:1
66) at com.cisco.cpm.admin.infra.utils.RequestHead
erRefererValidationFilter.processRequest(Re
questHeaderRefererValidationFilter.java:53)
at com.cisco.cpm.admin.infra.utils.RequestHead
erRefererValidationFilter.doFilter(RequestH
eaderRefererValidationFilter.java:39) at
org.apache.catalina.core.ApplicationFilterC
hain.internalDoFilter(ApplicationFilterChai
n.java:193) at org.apache.catalina.core.ApplicationFilterC
hain.doFilter(ApplicationFilterChain.java:1
66) at com.cisco.cpm.admin.infra.utils.RequestHead
erValidationFilter.doFilter(RequestHeaderVa
lidationFilter.java:138) at org.apache.catalina.core.ApplicationFilterC
hain.internalDoFilter(ApplicationFilterChai
n.java:193) at org.apache.catalina.core.ApplicationFilterC
hain.doFilter(ApplicationFilterChain.java:1
66) at com.cisco.cpm.admin.infra.utils.RequestHead
erSanityFilter.doFilter(RequestHeaderSanity
Filter.java:115) at org.apache.catalina.core.ApplicationFilterC
hain.internalDoFilter(ApplicationFilterChai
n.java:193) at org.apache.catalina.core.ApplicationFilterC
hain.doFilter(ApplicationFilterChain.java:1
66) at com.cisco.cpm.admin.infra.utils.UserInfoFil
ter.doFilter(UserInfoFilter.java:152) at
org.apache.catalina.core.ApplicationFilterC
hain.internalDoFilter(ApplicationFilterChai
n.java:193) at org.apache.catalina.core.ApplicationFilterC
hain.doFilter(ApplicationFilterChain.java:1
66) at com.cisco.cpm.admin.xss.XssCheckFilter.doFi
lter(XssCheckFilter.java:133) at org.apache.catalina.core.ApplicationFilterC
hain.internalDoFilter(ApplicationFilterChai
n.java:193) at org.apache.catalina.core.ApplicationFilterC
hain.doFilter(ApplicationFilterChain.java:1
66) at com.cisco.cpm.admin.infra.utils.LoginCheckF
ilter.doFilter(LoginCheckFilter.java:364)
at org.apache.catalina.core.ApplicationFilterC
hain.internalDoFilter(ApplicationFilterChai
n.java:193) at org.apache.catalina.core.ApplicationFilterC
hain.doFilter(ApplicationFilterChain.java:1
66) at com.cisco.cpm.admin.infra.utils.ParamFilter
.doFilter(ParamFilter.java:72) at org.apache.catalina.core.ApplicationFilterC
hain.internalDoFilter(ApplicationFilterChai
n.java:193) at org.apache.catalina.core.ApplicationFilterC
hain.doFilter(ApplicationFilterChain.java:1
66) at com.cisco.cpm.admin.infra.utils.CommonReque
stParameterFilter.doFilter(CommonRequestPar
ameterFilter.java:69) at org.apache.catalina.core.ApplicationFilterC
hain.internalDoFilter(ApplicationFilterChai
n.java:193) at org.apache.catalina.core.ApplicationFilterC
hain.doFilter(ApplicationFilterChain.java:1
66) at com.cisco.cpm.admin.infra.utils.CharacterEn
codingFilter.doFilter(CharacterEncodingFilt
er.java:122) at org.apache.catalina.core.ApplicationFilterC
hain.internalDoFilter(ApplicationFilterChai
n.java:193) at org.apache.catalina.core.ApplicationFilterC
hain.doFilter(ApplicationFilterChain.java:1
66) at com.cisco.cpm.admin.infra.utils.Navigationa
lViewPreferencesFilter.doFilter(Navigationa
lViewPreferencesFilter.java:99) at org.apache.catalina.core.ApplicationFilterC
hain.internalDoFilter(ApplicationFilterChai
n.java:193) at org.apache.catalina.core.ApplicationFilterC
hain.doFilter(ApplicationFilterChain.java:1
66) at com.cisco.ise.tomcat.xss.AdditionalXssCheck
Filter.doFilter(AdditionalXssCheckFilter.ja
va:54) at org.apache.catalina.core.ApplicationFilterC
hain.internalDoFilter(ApplicationFilterChai
n.java:193) at org.apache.catalina.core.ApplicationFilterC
hain.doFilter(ApplicationFilterChain.java:1
66) at com.cisco.ise.tomcat.xss.FilePathCheckFilte
r.doFilter(FilePathCheckFilter.java:72) at
org.apache.catalina.core.ApplicationFilterC
hain.internalDoFilter(ApplicationFilterChai
n.java:193) at org.apache.catalina.core.ApplicationFilterC
hain.doFilter(ApplicationFilterChain.java:1
66) at com.cisco.cpm.admin.infra.utils.ResponseHea
dersFilter.doFilter(ResponseHeadersFilter.j
ava:63) at org.apache.catalina.core.ApplicationFilterC
hain.internalDoFilter(ApplicationFilterChai
n.java:193) at org.apache.catalina.core.ApplicationFilterC
hain.doFilter(ApplicationFilterChain.java:1
66) at com.cisco.cpm.admin.infra.utils.RequestDeco
dingFilter.executeNextFilter(RequestDecodin
gFilter.java:142) at com.cisco.cpm.admin.infra.utils.RequestDeco
dingFilter.doFilter(RequestDecodingFilter.j
ava:93) at org.apache.catalina.core.ApplicationFilterC
hain.internalDoFilter(ApplicationFilterChai
n.java:193) at org.apache.catalina.core.ApplicationFilterC
hain.doFilter(ApplicationFilterChain.java:1
66) at org.apache.catalina.core.StandardWrapperVal
ve.invoke(StandardWrapperValve.java:200) a
t org.apache.catalina.core.StandardContextVal
ve.invoke(StandardContextValve.java:96) at
org.apache.catalina.authenticator.Authentic
atorBase.invoke(AuthenticatorBase.java:607)
at org.apache.catalina.valves.RequestFilterVal
ve.process(RequestFilterValve.java:348) at
org.apache.catalina.valves.LocalAddrValve.i
nvoke(LocalAddrValve.java:51) at org.apache.catalina.core.StandardHostValve.
invoke(StandardHostValve.java:139) at org.apache.catalina.valves.ErrorReportValve
.invoke(ErrorReportValve.java:92) at com.cisco.ise.tomcat.valves.GuestVlanUrlRed
irectValve.invoke(GuestVlanUrlRedirectValve
.java:80) at org.apache.catalina.authenticator.SingleSig
nOn.invoke(SingleSignOn.java:240) at org.apache.catalina.core.StandardEngineValv
e.invoke(StandardEngineValve.java:74) at
org.apache.catalina.valves.MethodsValve.inv
oke(MethodsValve.java:52) at org.apache.catalina.connector.CoyoteAdapter
.service(CoyoteAdapter.java:343) at org.apache.coyote.http11.Http11Processor.se
rvice(Http11Processor.java:408) at org.apache.coyote.AbstractProcessorLight.pr
ocess(AbstractProcessorLight.java:66) at
org.apache.coyote.AbstractProtocol$Connecti
onHandler.process(AbstractProtocol.java:834
) at org.apache.tomcat.util.net.NioEndpoint$Sock
etProcessor.doRun(NioEndpoint.java:1415) a
t org.apache.tomcat.util.net.SocketProcessorB
ase.run(SocketProcessorBase.java:49) at java.util.concurrent.ThreadPoolExecutor.run
Worker(ThreadPoolExecutor.java:1149) at java.util.concurrent.ThreadPoolExecutor$Wor
ker.run(ThreadPoolExecutor.java:624) at org.apache.tomcat.util.threads.TaskThread$W
rappingRunnable.run(TaskThread.java:61) at
java.lang.Thread.run(Thread.java:748)
 
Is there currently any workarounds to this issue that anyone has had success with? It seems to only occur for ACLs that have the correct syntax.
0 Helpful
3 Replies 3

Dustin Anderson
VIP
VIP

‎08-18-2021 01:50 PM

I have a test ISE with 2.7 patch 4 and have no issues. When we originally went to 2.6, I had issues as the dACLs now supports IPv6. I had to recreate dACLs specifying IPv4 to get them to validate and work. old dACLs had the option to specify greyed out.

0 Helpful

Greg Gibbs
Cisco Employee
Cisco Employee

‎08-18-2021 05:25 PM

Those are Java errors referencing a lot of internal processes used by ISE. If you've already done the standard troubleshooting for client Java issues (cleared cache, tried another browser, reinstalled the latest version of Java, etc.), I would suggest opening a TAC case to investigate the issue further.

0 Helpful

hslai
Cisco Employee
Cisco Employee

‎08-21-2021 09:43 PM

Pick Agnostic as the IP version, in order to avoid syntax checks.

0 Helpful
Getting Started

Find answers to your questions by entering keywords or phrases in the Search bar above. New here? Use these resources to familiarize yourself with the community:

Customers Also Viewed These Support Documents