02-08-2017 02:15 AM - edited 03-05-2019 07:59 AM
Hi guys,
We have a weird problem on a Cisco ISR4351 when configuring a numbered access-list using object-groups for source and destination hosts.
We do not run into any problems when configuring the access-list, and the configuration appears in the running-config normally. We can also save the configuration normally and it appears in the startup config.
However, when reloading the router, and when the router is starting up and applying the startup config, we get "% Invalid input detected at '^' marker." under the object-group keyword of the access-list. Below the output during startup:
access-list 111 permit ip object-group SOURCE-GROUP object-group DEST-GROUP
^
% Invalid input detected at '^' marker.
After the router has completed starting up, we can re-add the sequence with the object-group normally, so the problem occurs when the router is starting up, not when trying to configure it from CLI.
Does anyone have any input for this problem?
02-08-2017 02:20 AM
Hi
mmm i think it could be a bug, I recommend to open a ticket with the Cisco TAC.
02-08-2017 02:31 AM
Hi Julio, thanks for your input.
I did a thorough check on Cisco's bug tool, and I also upgraded the software on the router to 3.16.5S(ED), which appears to be the latest recommended version, but the problem persists.
I also checked the release notes for the 3.16S but found nothing related.
Could it be something other than a bug?
02-08-2017 02:42 AM
Hi
Please correct me if I am wrong, the object-group is created correctly, once the router is rebooted it marks the object-group as invalid and the object-group is deleted from the config.
02-08-2017 02:44 AM
Hi,
It actually marks the access-list using the object-group as invalid. The object-group remains in the configuration, but the access-list is not present in the running-config. It is, however, present in the startup config, but applying it during startup fails.
Thanks
02-08-2017 02:50 AM
Thanks
Try to use named ACL instead numeric.
ip access-list extended TEST
permit ip object-group SOURCE-GROUP object-group DEST-GROUP
And please check if it is the same behavior.
02-08-2017 04:01 AM
Hi,
Named access-list instead of numbered worked fine. After performing the reload, the access-list was applied normally. Please note that this has also been tried on another router (4321) with the same results as previous ones, but with different IOS XE software versions.
Could this be a design limitation?
Discover and save your favorite ideas. Come back to expert answers, step-by-step guides, recent topics, and more.
New here? Get started with these tips. How to use Community New member guide