Showing results for 
Search instead for 
Did you mean: 

IOS XE 16.12.1(Gibraltar) object-group permit shown as deny in log (WS-C3850-24XS)



I have an ACL like this used in a WS-C3850-24XS:


object-group network mynet

object-group service authservices
  tcp eq 1234
  tcp eq 2345

ip access-list extended restrict-net
  permit tcp any any established
  permit icmp any any
  <more permits...>
  permit object-group authservices object-group mynet any log-input
  deny ip any any log-input

int vlan 123
  ip access-group restrict-net out

While testing, I noticed multiple logs (and also hit counts) telling me that it was matching the last rule ("deny ip any any log-input") for packages that should be matched by the previous rule. However, the packages were actually delivered. So, the "deny" log was false.


I replaced the use of "object-group" with the real network address like this:


  permit tcp any eq 1234 2345 log-input

And I started to see the correct permit logs (instead of deny). In both cases, there is no change on what is actually permitted/denied, just how it is written (with or without object-group). It happens with both with network or service object-group, used together or individually.


I also tested the original permit rule without log-input and it correctly stopped both the hit counts on "deny ip any any log-input" and logging a wrong deny rule.


It seems that rule processing when it hits a rule that combines "permit", "object-group" and "log-input".


Does anyone have seem something similar?

CreatePlease to create content
Content for Community-Ad
July's Community Spotlight Awards