Solved: access list stops working

t.ricco · ‎07-17-2023

Hello Group-Members,

it's really strange but since setting up new access-lists (I never used them before) I noted that the lists stops working after 24h after applying it on the interface. This happens on a C9200L with IOS XE 17.3.7 (and on an elder C4500X).

My lists look like this:

ip access-list extended 111
remark packets on port 22,80,443 from host (10.0.0.10) to server (10.0.0.11) allowed
permit tcp host 10.0.0.10 range 0 65535 host 10.0.0.11 eq 22
permit tcp host 10.0.0.10 range 0 65535 host 10.0.0.11 eq 80
permit tcp host 10.0.0.10 range 0 65535 host 10.0.0.11 eq 443
remark only established connections from server to host allowed
permit tcp host 10.0.0.11 eq 22 host 10.0.0.10 range 0 65535 established
permit tcp host 10.0.0.11 eq 80 host 10.0.0.10 range 0 65535 established
permit tcp host 10.0.0.11 eq 443 host 10.0.0.10 range 0 65535 established
deny ip any any

The Interface of the server (10.0.0.11) looks like this:

interface GigabitEthernet1/0/11
description Server with IP 10.0.0.11
switchport access vlan 11
switchport mode access
switchport port-security violation restrict
switchport port-security mac-address-sticky
switchport port-security
ip access-group 111 in
spanning-tree portfast

The Interface of the Host (10.0.0.10) has no ip access-group entry.

After setting
ip access-group 111 in

the connection works for 24h (reproducible), then it stops. No access to the serverports 22,80,443 is possible anymore.

By reapplying it via:

no ip access-group 111 in

and

ip access-group 111 in

It's working for the next 24h...

Maybe it has something to do with the "established" part of the rule... but why in the world it stops from working after 24h ????

And why does it work after reapplying? If the rule is wrong the ACL should not work a second....

Any hints are welcome, thanks.

MHM Cisco World · ‎07-17-2023

Can you do the following'

Ip access-list extended 111

Deny ip any any log

Direct IN

Let see what traffic drop in this direction.

View solution in original post

Flavio Miranda · ‎07-17-2023

Hi @t.ricco

It can be a Bug but I believe it also can be related to the port-security. Port Security aging time is 24hrs. I would try to remove the port-security on the port and see if something change.

MHM Cisco World · ‎07-17-2023

Can you do the following'

Ip access-list extended 111

Deny ip any any log

Direct IN

Let see what traffic drop in this direction.

t.ricco · ‎07-20-2023

Thank you for all your replies.

I think the problem was linked to DHCP and the lease time of 24h. I found in log file that the server asked after 12h for a new lease, but didn't get an answer, due to the restrictions. After 24h the dhcp-address expired.

Therefore I added this lines to rules:

permit udp host 10.0.0.11 eq 68 any eq 67
permit udp host 10.0.0.1 eq 67 host 10.0.0.11 eq 68

If this does not work I'll remove DHCP and use fixed ip or use the mac-addresses instead.

Joseph W. Doherty · ‎07-18-2023

Hmm, don't recall ever seeing a L3 ACL applied on a L2 interface. In theory, if hardware supports, don't see why it cannot be done. (Anyone seen this done?)

Just curious, was the range 0 65535 actually entered that way or did the switch generate that option?

@Flavio Miranda observation, about port security's 24 hour timer is interesting. Any messages in syslog at the 24 hour mark?

Do you have a support contract?