Solved: Trouble with ACLs with 2921 router running 15.2

jidaniels · ‎01-17-2014

I swapped out a 2811 router running 12.2 for a 2921 running 15.2. I copied the cfg from the 2811 to the 2921 and all the interface and ACL cmds ported over just fine. However, the outbound ACL doesn't seem to actually work properly as nothing can communicate thru the int unless I remove the ACL. There does not seem to be any easily findable documentation on creating ACLs for 2921s running 15.2.

Even this ACL:

interface GigabitEthernet0/2

description L3-ITS-P-EUC-BURNHAM

ip address 10.75.145.129 255.255.255.192

ip access-group ITS-P-EUC-BURNHAM-IN in

ip access-group ITS-P-EUC-BURNHAM-OUT out

Extended IP access list ITS-P-EUC-BURNHAM-OUT

10 permit ip any any log

results in dropped pkts:

localhost:~ jabedan$ ping 10.75.145.130

PING 10.75.145.130 (10.75.145.130): 56 data bytes

36 bytes from s-burnham.r-burnham.umnet.umich.edu (207.75.152.74): Communication prohibited by filter

Vr HL TOS Len ID Flg off TTL Pro cks Src Dst

4 5 00 5400 a40a 0 0000 3b 01 063e 35.2.22.146 10.75.145.130

Remove the ACL and full communication resumes.

r-BURNHAM(config)#int g0/2

r-BURNHAM(config-if)#no ip access-group ITS-P-EUC-BURNHAM-OUT out

r-BURNHAM(config-if)#^Z

localhost:~ jabedan$ ping 10.75.145.130

PING 10.75.145.130 (10.75.145.130): 56 data bytes

64 bytes from 10.75.145.130: icmp_seq=0 ttl=250 time=145.823 ms

64 bytes from 10.75.145.130: icmp_seq=1 ttl=250 time=7.634 ms

64 bytes from 10.75.145.130: icmp_seq=2 ttl=250 time=7.687 ms

Does anyone know the differences in ACLs and ACL application between these 2 platforms/softwares?

Jon Marshall · ‎01-17-2014

Jim

I don't think it's the platform, i think it's the IOS. For example from the 15.2(1)T release notes -

CSCtt19027

Symptoms: When ACL is applied to the serial interface or Gigabit interface, ping failure seen even though the permit statement is there.

Conditions: The symptom is observed when ACL is configured on the serial interface or Gigabit interface.

Workaround: Enable EPM by installing the security license.

Further Problem Description: This is seen with those images where EPM is not supported and because of that an EPM call always gives a return value as "deny" due to registry call

full bug details can be found here if you have access -

https://tools.cisco.com/bugsearch/bug/CSCtt19027

Jon

View solution in original post

cadet alain · ‎01-17-2014

Hi,

Did you try without the log keyword ?

Regards

Alain

Don't forget to rate helpful posts.

jidaniels · ‎01-17-2014

yes I started out without the log keyword, tried it to see if I could learn anything but nothing is logged per sh log. I have since removed it.

Jon Marshall · ‎01-17-2014

Jim

I don't think it's the platform, i think it's the IOS. For example from the 15.2(1)T release notes -

CSCtt19027

Symptoms: When ACL is applied to the serial interface or Gigabit interface, ping failure seen even though the permit statement is there.

Conditions: The symptom is observed when ACL is configured on the serial interface or Gigabit interface.

Workaround: Enable EPM by installing the security license.

Further Problem Description: This is seen with those images where EPM is not supported and because of that an EPM call always gives a return value as "deny" due to registry call

full bug details can be found here if you have access -

https://tools.cisco.com/bugsearch/bug/CSCtt19027

Jon

jidaniels · ‎01-17-2014

Jon, although I am currently testing just with ping, when I first tried the 2921, alot more than ping was not passing until I removed the ACL. This looks very promising, I'm going to upgrade and go from there. I'll post the results, it may be a few days as I need to schedule the outage. Thx for the reply, Jim

jidaniels · ‎01-27-2014

Upgrading to 15.2(4)M5 (Cisco preferred in 15.2 train for stability) fixed the problem. ACLs now apply properly and block what they should be blocking.

Jon Marshall · ‎01-27-2014

Jim

Thanks for letting us know the solution as it may well help others with the same problem.

Jon