Solved: "% Duplicate ACE present after expansion.Aborting ACE addition!"

nathan.edwards1 · ‎07-08-2013

I have three very large object groups that I'm trying to deny in an access-list. If I create the object groups and then attempt to deny them in an ACL I get a "% Duplicate ACE present after expansion.Aborting ACE addition!" error. However, if I create the object groups with just the first couple objects in each group, deny the groups in the ACL and then finish building the object groups I do not get a duplicate error. Am I correct in understanding the error as saying that there is a duplicated network between the groups? If so, why do I not see them when adding the networks to the object groups after they are already applied to the ACL?

InayathUlla Sharieff · ‎07-08-2013

Nathan,

CSCto56118

Symptom:

A duplicate ACE can be introduced in an ACL if the duplicate entry is added via an object-group. The parser will not detect/reject this dplicate ACE configuration.

When the 6500 is reloaded and the ACL gets configured again during bootup, the duplicate ACE does get detected as expected. This can lead to a different access-list behavior before and after the reload of the 6500.

Conditions:

Platform: 6500
Software: 12.2(33)SXI

Example:

# Configure object-group
Cat6500(config)#object-group ip address GRPTEST
Cat6500(config-ipaddr-ogroup)# host-info 10.10.10.10

# Configure an ACL that uses this object-group
Cat6500(config)#ip access-list extended GRPTEST
Cat6500(config-ext-nacl)# permit tcp host 10.11.11.11 host
10.12.12.12 eq 22
Cat6500(config-ext-nacl)# permit tcp addrgroup GRPTEST host
10.12.12.12 eq 22

# Update the object-group with an entry which already exists in the ACL
# This config change to the object-group is accepted  (should not)
Cat6500(config)#object-group ip address GRPTEST
Cat6500(config-ipaddr-ogroup)# host-info 10.11.11.11

Cat6500#show access-lists GRPTEST
Extended IP access list GRPTEST
    10 permit tcp host 10.11.11.11 host 10.12.12.12 eq 22
    20 permit tcp addrgroup GRPTEST host 10.12.12.12 eq 22


# When reconfiguring the same ACL again, the duplicate ACE does get
detected
# The config is not accepted as expected
dr1.sto1.int(config)#no ip access-list extended GRPTEST
dr1.sto1.int(config)#ip access-list extended GRPTEST
dr1.sto1.int(config-ext-nacl)# permit tcp host 10.11.11.11 host
10.12.12.12 eq 22
dr1.sto1.int(config-ext-nacl)# permit tcp addrgroup GRPTEST host
10.12.12.12 eq 22
% Duplicate ACE present after expansion.Aborting ACE addition!


Workaround:

Check your ACLs to make sure you are not adding duplicate entries via an object-group

HTH

Regards

Inayath

*Plz rate all the usefull posts.

View solution in original post

InayathUlla Sharieff · ‎07-08-2013

Nathan,

CSCto56118

Symptom:

A duplicate ACE can be introduced in an ACL if the duplicate entry is added via an object-group. The parser will not detect/reject this dplicate ACE configuration.

When the 6500 is reloaded and the ACL gets configured again during bootup, the duplicate ACE does get detected as expected. This can lead to a different access-list behavior before and after the reload of the 6500.

Conditions:

Platform: 6500
Software: 12.2(33)SXI

Example:

# Configure object-group
Cat6500(config)#object-group ip address GRPTEST
Cat6500(config-ipaddr-ogroup)# host-info 10.10.10.10

# Configure an ACL that uses this object-group
Cat6500(config)#ip access-list extended GRPTEST
Cat6500(config-ext-nacl)# permit tcp host 10.11.11.11 host
10.12.12.12 eq 22
Cat6500(config-ext-nacl)# permit tcp addrgroup GRPTEST host
10.12.12.12 eq 22

# Update the object-group with an entry which already exists in the ACL
# This config change to the object-group is accepted  (should not)
Cat6500(config)#object-group ip address GRPTEST
Cat6500(config-ipaddr-ogroup)# host-info 10.11.11.11

Cat6500#show access-lists GRPTEST
Extended IP access list GRPTEST
    10 permit tcp host 10.11.11.11 host 10.12.12.12 eq 22
    20 permit tcp addrgroup GRPTEST host 10.12.12.12 eq 22


# When reconfiguring the same ACL again, the duplicate ACE does get
detected
# The config is not accepted as expected
dr1.sto1.int(config)#no ip access-list extended GRPTEST
dr1.sto1.int(config)#ip access-list extended GRPTEST
dr1.sto1.int(config-ext-nacl)# permit tcp host 10.11.11.11 host
10.12.12.12 eq 22
dr1.sto1.int(config-ext-nacl)# permit tcp addrgroup GRPTEST host
10.12.12.12 eq 22
% Duplicate ACE present after expansion.Aborting ACE addition!


Workaround:

Check your ACLs to make sure you are not adding duplicate entries via an object-group

HTH

Regards

Inayath

*Plz rate all the usefull posts.

nathan.edwards1 · ‎07-09-2013

Right on InayathUlla!

Thanks,

Nate