IOS XE 16.12.1(Gibraltar) object-group permit shown as deny in log (WS-C3850-24XS)

luizdeluca · ‎09-04-2019

Hello,

I have an ACL like this used in a WS-C3850-24XS:

object-group network mynet 
  10.1.0.0 255.255.0.0

object-group service authservices
  tcp eq 1234
  tcp eq 2345

ip access-list extended restrict-net
  permit tcp any any established
  permit icmp any any
  <more permits...>
  permit object-group authservices object-group mynet any log-input
  deny ip any any log-input

int vlan 123
  ip access-group restrict-net out

While testing, I noticed multiple logs (and also hit counts) telling me that it was matching the last rule ("deny ip any any log-input") for packages that should be matched by the previous rule. However, the packages were actually delivered. So, the "deny" log was false.

I replaced the use of "object-group" with the real network address like this:

  permit tcp 10.1.0.0 0.0.255.255 any eq 1234 2345 log-input

And I started to see the correct permit logs (instead of deny). In both cases, there is no change on what is actually permitted/denied, just how it is written (with or without object-group). It happens with both with network or service object-group, used together or individually.

I also tested the original permit rule without log-input and it correctly stopped both the hit counts on "deny ip any any log-input" and logging a wrong deny rule.

It seems that rule processing when it hits a rule that combines "permit", "object-group" and "log-input".

Does anyone have seem something similar?