Buy or Renew
Buy or Renew
Cisco + Splunk: It’s a new day for your data. Learn more.
 
cancel
Turn on suggestions
Auto-suggest helps you quickly narrow down your search results by suggesting possible matches as you type.
Showing results for 
Search instead for 
Did you mean: 
cancel
Start a conversation
186
Views
0
Helpful
1
Replies

UDP traffic not hitting ACL when logged

jp.briggs
Level 1
Level 1

‎02-19-2015 06:59 AM - edited ‎03-07-2019 10:45 PM

2821 ISR

 

I've got a DAPE ACL I'm trying to build. One of the entries that caused a lot of problems was permitting NTP (UDP 123). I had an entry like this on an ACL:

 

permit udp <my.src.lan.ip> 0.0.0.255 host <our.external.NTP.server> log

This line did not get any hits, and NTP updates were failing on our Windows clients. (the final line is a deny ip any any)


I changed this line to read:

permit udp <my.src.lan.ip> 0.0.0.255 host <our.external.NTP.server>

Note that the only difference is that I'm not logging this line.

Once change, I saw hits on this line, and NTP updates on our Windows clients suddenly started going through and working.

 

Is this normal behavior? I can't see why logged ACL entries would make them fail to get picked up and let through.

Labels:
0 Helpful
1 Reply 1

Vasilii Mikhailovskii
Level 7
Level 7

‎02-24-2015 12:17 PM

Hello.

I believe the entry is not interface ACL, but NAT ACL.

"log" keyword is not supported inside NAT ACLs, that is why you observed connectivity issue.

0 Helpful
Getting Started

Find answers to your questions by entering keywords or phrases in the Search bar above. New here? Use these resources to familiarize yourself with the community:

Customers Also Viewed These Support Documents
Review Cisco Networking products for a $25 gift card