Buy or Renew
Buy or Renew
cancel
Turn on suggestions
Auto-suggest helps you quickly narrow down your search results by suggesting possible matches as you type.
Showing results forĀ 
Search instead forĀ 
Did you mean:Ā 
cancel
Start a conversation
892
Views
5
Helpful
4
Replies

Cisco ASR 1001-X access-list/object-group change causes a traceback and reboot

Go to solution
Sergej Tiurin
Level 1
Level 1

ā€Ž04-21-2016 09:11 AM - edited ā€Ž03-08-2019 05:26 AM

Hello,

we have an ASR1001-X on 15.5(3)S2 and we experiencing an interesting issue with the zone based firewall.

We have an access-list with about 25 lines, each line contains object-group with about 30 networks.

This access-list is a member of class-map, policy-map that is a member of a zone-pair.

Now if we were to add a single ip or a subnet to an object group or remove some, or in any way play with any item within the zone-pair, this will cause an ESP Traceback.

Depending on severity of Traceback a router will reboot.

We noticed that if we use smaller access-list they can be amended on the fly and object-group can be populated without any Tracebacks.

What is the reason to this and what is the solution?

Cheers

Labels:
0 Helpful
1 Accepted Solution

Accepted Solutions

Go to solution
Philip D'Ath
VIP Alumni
VIP Alumni

ā€Ž04-22-2016 01:11 AM

It is almost certainly a bug.

It sounds like you are running 3.16.2S.  I see Cisco have posted a special notice about this version:

This is a rebuild of the latest Extended Maintenance release version for early adoption.

Unless you like being an early adopter and helping Cisco discover bugs I would try dropping back to 3.15.3S.

View solution in original post

4 Replies 4

Go to solution
Philip D'Ath
VIP Alumni
VIP Alumni

ā€Ž04-22-2016 01:11 AM

It is almost certainly a bug.

It sounds like you are running 3.16.2S.  I see Cisco have posted a special notice about this version:

This is a rebuild of the latest Extended Maintenance release version for early adoption.

Unless you like being an early adopter and helping Cisco discover bugs I would try dropping back to 3.15.3S.

Go to solution
Sergej Tiurin
Level 1
Level 1
In response to Philip D'Ath

ā€Ž04-22-2016 03:57 AM

Thanks Phil,

how blind I was not to notice that note.

I will try the 3.15.3S and provide an update.

0 Helpful

Go to solution
Sergej Tiurin
Level 1
Level 1
In response to Philip D'Ath

ā€Ž04-22-2016 08:54 AM

3.15.3S is generating Tracebacks but not rebooting.

We have tried 3.13.2S (asr1001x-universalk9.03.13.02.S.154-3.S2-ext.SPA.bin) and this doesn't generate trackbacks or reboot! We will try a higher train of the same release.

0 Helpful

Go to solution
Philip D'Ath
VIP Alumni
VIP Alumni
In response to Sergej Tiurin

ā€Ž04-22-2016 09:40 AM

Yay, that is a nice feature - not crashing or rebooting.

It would be great if you could rate and mark helpful answers.  :-)

0 Helpful
Customers Also Viewed These Support Documents
Review Cisco Networking for a $25 gift card