Buy or Renew
Buy or Renew
Cisco + Splunk: It’s a new day for your data. Learn more.
 
cancel
Turn on suggestions
Auto-suggest helps you quickly narrow down your search results by suggesting possible matches as you type.
Showing results for 
Search instead for 
Did you mean: 
cancel
Start a conversation
1311
Views
0
Helpful
11
Replies

6509 Won't Remove ACL entry

Stuart McGrath
Level 1
Level 1

‎12-04-2012 03:21 AM - edited ‎03-07-2019 10:23 AM

Hi,

We have a pair of 6509's with duplicate ACL lists & entries.

1 = Version 12.2(33)SXI4a

2 = Version 12.2(18)SXF15a

I wanted to remove some logging that was on an entry on one of our extended ACL's. On 1 this worked fine with the

no 400

400 <acl rule without log>

However on 2 it lets me carry out the no 400 command but when i go to add the 400 <acl rule without log> i get the error

% Duplicate sequence number.

sure enough when i perform the 'Show access-lists <Name>' it is still there!

I have tried the following:

  • Adding a duplicate ACL entry before it (399) without log and i still get hits on line 400
  • Adding and removing the duplicate created line 399 (without logging) with no issues.
  • Adding and removing a dupliacte ACL (without Logging) after (line 401) with no issues

It looks like it is just this line it seems to think it has removed but hasn't?!

I understand an option is to duplicate the ACL in a text editor remove line, delete the ACL and put the edit back in .....however i wondered if this is something known (bug) or that anyone has encountered, should we come accross it again

Labels:
0 Helpful
11 Replies 11

John Blakley
VIP Alumni
VIP Alumni

‎12-04-2012 04:03 AM

It looks like you could have bug CSCso73076....

http://tools.cisco.com/Support/BugToolKit/search/getBugDetails.do?method=fetchBugDetails&bugId=CSCso73076&from=summary

It says that it was fixed in version 12.2(33)SXI which should be covered under your switch 1, so I would recommend an upgrade on switch 2.

HTH,
John

*** Please rate all useful posts ***

HTH, John *** Please rate all useful posts ***
0 Helpful

Stuart McGrath
Level 1
Level 1
In response to John Blakley

‎12-04-2012 04:18 AM

Hi John,

My apologies, I got the switch and code versions the wrong way round. This should actually be

6509_1 = Version 12.2(18)SXF15a

6509_2 = Version 12.2(33)SXI4a

So the issue 6509 actually has a version that shouldnt be affected by that bug.

Also the ACL has near 200 lines in it and i can still delete and create others......Its Just this one line (400) that won't delete.

Cheers

Stuart

0 Helpful

John Blakley
VIP Alumni
VIP Alumni
In response to Stuart McGrath

‎12-04-2012 04:20 AM

Where is the acl used and what's its purpose? Have you tried a maintenance window and remove the acl from whatever it's applied to, try to remove the entry, and then reapply the acl?

HTH,
John

*** Please rate all useful posts ***

HTH, John *** Please rate all useful posts ***
0 Helpful

Stuart McGrath
Level 1
Level 1
In response to John Blakley

‎12-04-2012 04:27 AM

Hi john,

It looks as though re-applying it is the approach we will have to take, However i was reaching out to see if anyone had had similar occurance or knew of any reason why just one line wont delete.

The ACL is an extended ACL preventing one subnet from accessing the other.

Rgds

Stuart

0 Helpful

John Blakley
VIP Alumni
VIP Alumni
In response to Stuart McGrath

‎12-04-2012 04:30 AM

Stuart,

It really should be as simple as going into the acl and doing a "no " and it should remove, so I do think you're running into some bug. It could be possible that you're still hitting the bug that I gave you, but the specific IOS may not be listed in the doc.

HTH,
John

*** Please rate all useful posts ***

HTH, John *** Please rate all useful posts ***
0 Helpful

Stuart McGrath
Level 1
Level 1
In response to John Blakley

‎12-04-2012 04:37 AM

I know

and when i run that command for that line/ace (400) it doesnt moan or error....However when you do a 'show access-list it is still there.......very strange

Rgds

Stuart

0 Helpful

John Blakley
VIP Alumni
VIP Alumni
In response to Stuart McGrath

‎12-04-2012 04:39 AM

I know this is a silly question, but did you try removing the line by specifying the complete line?

no 400 deny ip any host x.x.x.x log

HTH,
John

*** Please rate all useful posts ***

HTH, John *** Please rate all useful posts ***
0 Helpful

Stuart McGrath
Level 1
Level 1
In response to John Blakley

‎12-04-2012 04:45 AM

Hi John,

Yes ....No joy

Rgds

Stuart

0 Helpful

glen.grant
VIP Alumni
VIP Alumni
In response to Stuart McGrath

‎12-04-2012 09:36 AM

  Are you actually in ACL config mode when you try this?  Maybe you can post the actual screenshots of your commands.  Have never heard of anything like that.   you could also try to exit out of acl config mode after removing the 400 entry and then go back in and try to put the new one in. Or put it back in as entry 401 .

conf t

ip  access-list extended

no 400 

0 Helpful

Stuart McGrath
Level 1
Level 1
In response to glen.grant

‎12-05-2012 12:16 AM

Hi Glen,

Indeed I am...

Basically I am running the commands above. I Edit ACL entiries on a number of occasions but this is the first time I have seen this.

It has worked on 6509_1 and appears to run the command no 400  (Or Just no 400) on 6509_2 but when you do "Show access-lists " it is still there!

I didnt want to delete and reapply the ACL just yet, so I made a duplicate with a slightly different name, applied that to the VLAN Int and left the other unused so I can try and fathom out why it is not removing it.

Rgds

Stuart

0 Helpful

Stuart McGrath
Level 1
Level 1
In response to Stuart McGrath

‎12-06-2012 07:09 AM

Has anyone experienced this?

0 Helpful
Customers Also Viewed These Support Documents
Review Cisco Networking products for a $25 gift card