04-21-2016 09:11 AM - edited 03-08-2019 05:26 AM
Hello,
we have an ASR1001-X on 15.5(3)S2 and we experiencing an interesting issue with the zone based firewall.
We have an access-list with about 25 lines, each line contains object-group with about 30 networks.
This access-list is a member of class-map, policy-map that is a member of a zone-pair.
Now if we were to add a single ip or a subnet to an object group or remove some, or in any way play with any item within the zone-pair, this will cause an ESP Traceback.
Depending on severity of Traceback a router will reboot.
We noticed that if we use smaller access-list they can be amended on the fly and object-group can be populated without any Tracebacks.
What is the reason to this and what is the solution?
Cheers
Solved! Go to Solution.
04-22-2016 01:11 AM
It is almost certainly a bug.
It sounds like you are running 3.16.2S. I see Cisco have posted a special notice about this version:
This is a rebuild of the latest Extended Maintenance release version for early adoption.
Unless you like being an early adopter and helping Cisco discover bugs I would try dropping back to 3.15.3S.
04-22-2016 01:11 AM
It is almost certainly a bug.
It sounds like you are running 3.16.2S. I see Cisco have posted a special notice about this version:
This is a rebuild of the latest Extended Maintenance release version for early adoption.
Unless you like being an early adopter and helping Cisco discover bugs I would try dropping back to 3.15.3S.
04-22-2016 03:57 AM
Thanks Phil,
how blind I was not to notice that note.
I will try the 3.15.3S and provide an update.
04-22-2016 08:54 AM
3.15.3S is generating Tracebacks but not rebooting.
We have tried 3.13.2S (asr1001x-universalk9.03.13.02.S.154-3.S2-ext.SPA.bin) and this doesn't generate trackbacks or reboot! We will try a higher train of the same release.
04-22-2016 09:40 AM
Yay, that is a nice feature - not crashing or rebooting.
It would be great if you could rate and mark helpful answers. :-)
Discover and save your favorite ideas. Come back to expert answers, step-by-step guides, recent topics, and more.
New here? Get started with these tips. How to use Community New member guide