Object-group on ACL Configuration Invalid During Startup

Mahmoud Lattouf · ‎02-08-2017

Hi guys,

We have a weird problem on a Cisco ISR4351 when configuring a numbered access-list using object-groups for source and destination hosts.

We do not run into any problems when configuring the access-list, and the configuration appears in the running-config normally. We can also save the configuration normally and it appears in the startup config.

However, when reloading the router, and when the router is starting up and applying the startup config, we get "% Invalid input detected at '^' marker." under the object-group keyword of the access-list. Below the output during startup:

access-list 111 permit ip object-group SOURCE-GROUP object-group DEST-GROUP

^
% Invalid input detected at '^' marker.

After the router has completed starting up, we can re-add the sequence with the object-group normally, so the problem occurs when the router is starting up, not when trying to configure it from CLI.

Does anyone have any input for this problem?

Julio E. Moisa · ‎02-08-2017

Hi

mmm i think it could be a bug, I recommend to open a ticket with the Cisco TAC.

>> Marcar como útil o contestado, si la respuesta resolvió la duda, esto ayuda a futuras consultas de otros miembros de la comunidad. <<

Mahmoud Lattouf · ‎02-08-2017

Hi Julio, thanks for your input.

I did a thorough check on Cisco's bug tool, and I also upgraded the software on the router to 3.16.5S(ED), which appears to be the latest recommended version, but the problem persists.

I also checked the release notes for the 3.16S but found nothing related.

Could it be something other than a bug?

Julio E. Moisa · ‎02-08-2017

Hi

Please correct me if I am wrong, the object-group is created correctly, once the router is rebooted it marks the object-group as invalid and the object-group is deleted from the config.

>> Marcar como útil o contestado, si la respuesta resolvió la duda, esto ayuda a futuras consultas de otros miembros de la comunidad. <<

Mahmoud Lattouf · ‎02-08-2017

Hi,

It actually marks the access-list using the object-group as invalid. The object-group remains in the configuration, but the access-list is not present in the running-config. It is, however, present in the startup config, but applying it during startup fails.

Thanks

Julio E. Moisa · ‎02-08-2017

Thanks

Try to use named ACL instead numeric.

ip access-list extended TEST
permit ip object-group SOURCE-GROUP object-group DEST-GROUP

And please check if it is the same behavior.

>> Marcar como útil o contestado, si la respuesta resolvió la duda, esto ayuda a futuras consultas de otros miembros de la comunidad. <<

Mahmoud Lattouf · ‎02-08-2017

Hi,

Named access-list instead of numbered worked fine. After performing the reload, the access-list was applied normally. Please note that this has also been tried on another router (4321) with the same results as previous ones, but with different IOS XE software versions.

Could this be a design limitation?