Hello

Hoping someone can shed some light on this ACL behaviour we're seeing. We have 2 Nexus 9ks with a vlan interface configured as follows:

interface Vlan15
no shutdown
mtu 9216
no ip redirects
ip address 172.20.15.2/24
no ipv6 redirects
ip ospf passive-interface
ip router ospf 100 area 0.0.0.0
hsrp version 2
hsrp 15
authentication md5 key-string 15
preempt delay minimum 30
priority 150
timers 1 3
ip 172.20.15.1
ip dhcp relay address 172.20.x.x
ip dhcp relay address 172.20.x.x

There are two servers behind it and I'm trying to restrict access from the servers outbound. This is the ACL I applied:

ip access-list ACL_VLAN15_in
permit tcp any <public ip>/32 eq 8000
permit tcp any <public ip>/32 eq 8089
permit tcp any <public ip>/32 eq 9997
deny icmp any any
deny tcp any any eq 22
deny tcp any any eq 514
deny udp any any eq 514
deny tcp any any eq 9100
deny ip any any
statistics per-entry

Once I apply this to vlan 15 we can no longer SSH to the servers from outside. I added the deny eq22 statement to see if it was somehow being blocked in the opposite direction, but the stats show that it's not:

# sh ip access-lists ACL_VLAN15_in

IP access list ACL_VLAN15_in
statistics per-entry
10 permit tcp any <public ip>/32 eq 8000 [match=0]
20 permit tcp any <public ip>/32 eq 8089 [match=178]
30 permit tcp any <public ip>/32 eq 9997 [match=88174]
40 deny icmp any any [match=18]
50 deny tcp any any eq 22 [match=0]
60 deny tcp any any eq cmd [match=0]
70 deny udp any any eq syslog [match=0]
80 deny ip any any [match=4595]

Two questions:

1) Why is traffic in the other direction affected?

2) Is there an easy way to see what traffic is hitting the deny statement at the end so we can identify which additional ports need to be allowed?

Thanks

LB