Solved: I would be great if you could

genesio.disabatino · ‎03-08-2016

Really strange for me :

I have a VSI whit ACL on IN and OUT direction .

If I try to communicate between hosts on the same VLAN , the ACL in OUT direction drop the connection.
The problem occurs only if the hosts are on different switches that run through the 3850 with the VSI.
I have no communication problems between hosts that are located on the same switch.
Attached a diagram whit the scenario.
Someone can help me ?

Mar  7 2016 18:06:03.500 UTC: %SEC-6-IPACCESSLOGDP: list VLAN-1014-OUT denied icmp 10.10.14.150 -> 10.10.14.233 (8/0), 8 packets
Mar  7 2016 18:06:41.365 UTC: %SEC-6-IPACCESSLOGDP: list VLAN-1014-OUT denied icmp 10.10.14.232 -> 10.10.14.150 (8/0), 1 packet
Mar  7 2016 18:42:34.078 UTC: %SEC-6-IPACCESSLOGP: list VLAN-1014-OUT denied tcp 10.10.14.150(45863) -> 10.10.14.232(3389), 6 packets
Mar  7 2016 18:44:58.080 UTC: %SEC-6-IPACCESSLOGP: list VLAN-1014-OUT denied tcp 10.10.14.232(9419) -> 10.10.14.150(22), 1 packet

Philip D'Ath · ‎03-14-2016

I can't guarantee that it is a bug - just I have had a lot of issues with the earlier code versions on the 3850 - and you are running an earlier code version.

Don't be surprised if you run into other "funny" issues.

View solution in original post

Philip D'Ath · ‎03-08-2016

Are the switches stacked using the stacking connector?

What version of software are you using?

genesio.disabatino · ‎03-09-2016

SW1

HP VC-FLEX ( Virtual Connect ) on C7000 enclosure

SW-CORE

2 x Cisco WS-C3850-48T with 03.03.02SE

SW2

2 x Cisco WS-C2960X-48TD-L with 15.0(2)EX4

All the stacks are made by "stacking connector"

Philip D'Ath · ‎03-09-2016

I don't really like 3.3.2. Too many bad experiences. Can you upgrade the 3850's to 3.6.4E (a gold star release)?

To clarify, the issue does not happen on either 3850, correct?

The issue happens on both the HP VC-Flex and the 2960's, correct?

genesio.disabatino · ‎03-14-2016

The upgrade would be very complicated for us.

I can't belive that this is a version bug !!!!

Just inside the 2960 : no problem

Just inside the VC-FLEX : no problem

Just inside the 3850 : i think no problem but tomorow i'll do be some test

Through the 3850 and 2960 I have the problem . Through 3850 and the VC-FLEX I have the problem . Through 2960, the 3850 and the VC - FLEX I have the problem.

Philip D'Ath · ‎03-14-2016

I can't guarantee that it is a bug - just I have had a lot of issues with the earlier code versions on the 3850 - and you are running an earlier code version.

Don't be surprised if you run into other "funny" issues.

genesio.disabatino · ‎04-06-2016

FUCKKKKKKK

https://quickview.cloudapps.cisco.com/quickview/bug/CSCun68485

Philip D'Ath · ‎04-06-2016

Back to that software upgrade plan ...

Philip D'Ath · ‎04-06-2016

The other bad news is it knocks the switches out for about 15 minutes.

genesio.disabatino · ‎06-13-2016

For microcode upgrade the down has lasted for 24 minutes !!

After that upgrade we wanted use the object-group...but :

https://bst.cloudapps.cisco.com/bugsearch/bug/CSCuw51380/?referring_site=bugquickviewclick

e che cazzo!!

Philip D'Ath · ‎06-13-2016

The upgrade time is probably an indication of how far out of date all the different modules were. I haven't had one take that long before.

Is your original issue now resolved?

genesio.disabatino · ‎06-13-2016

So long time was for upgrade many microcode module...the XE IOS was 18 month old..maybe one of the first IOS for 3850.

Yes we solved the previous issue but we have discovered another one.......

Philip D'Ath · ‎06-13-2016

I would be great if you could rate and mark helpful posts. :-)

VSI - L3 interface on Switch 3850 with ACL IN and OUT drop INTRA VLAN packet