CBAC on 2811 not working after Router reboot

Unanswered Question
Dec 23rd, 2009

We are running CBAC on a 2811 route with the following IOS c2800nm-adventerprisek9-mz.12-24.T2 This works fine and allows and blocks the traffic as designed. However if we reboot the router CBAC stops working, to get it working we remove a rule from the ACL and put it back in and CBAC starts allowing traffic. In the same ACL we have a rule to allow ssh, which we use to connect to the router for management, this works fine, as its not using CBAC and doesn't need to be passed out to the public side of the network. This shows that its not an issue with the ACL.

Any help would ba appreciated



I have this problem too.
0 votes
  • 1
  • 2
  • 3
  • 4
  • 5
Overall Rating: 0 (0 ratings)
Kureli Sankar Wed, 12/23/2009 - 14:29

With the description I am assuming that you have the following:

1. CBAC applied IN on the inside interface.

2. ACL also applied IN on the inside interafce.

Is this correct?

Usually we see

1. CBAC applied OUT on the outside interface

2. ACL applied IN on the outside interface

You may want to copy and paste the output of "sh run int <>" as well as the acl that you are talking about is not working so we understand what is broken.


Chris McManaway Wed, 12/23/2009 - 14:46

Here is the config

Note that once this is working it is fine, only breaks after a reboot. Manual removal of the rule in the ACL and putting back in makes it work again.

Router#show run
Building configuration...

Current configuration : 1411 bytes
version 12.4
service timestamps debug datetime msec
service timestamps log datetime msec
no service password-encryption
hostname Router
logging message-counter syslog
no aaa new-model
dot11 syslog
ip source-route
ip cef

ip inspect name CELTrust icmp
ip inspect name CELTrust bgp
no ipv6 cef
voice-card 0
object-group service BGP
tcp eq bgp
object-group service ICMP
icmp echo
icmp traceroute
icmp echo-reply

log config

interface FastEthernet0/0
description to CELAK1-S15 2/3/43
ip address
ip access-group 101 in
ip inspect CELTrust in
duplex auto
speed auto
interface FastEthernet0/1
description to One Office IDL
ip address
ip access-group 110 in
duplex auto
speed auto
ip forward-protocol nd
ip route 10
no ip http server
no ip http secure-server

access-list 101 permit object-group ICMP host host
access-list 101 permit object-group BGP host host
access-list 101 deny   ip any any
access-list 110 deny   ip any any

!line con 0
line aux 0
line vty 0 4
scheduler allocate 20000 1000



Kureli Sankar Wed, 12/23/2009 - 16:10

access-list 101 permit object-group BGP host host

That line says only can initiate BGP peering. cannot initiate as the ACL applied on the other interface only had deny ip any any.

May be you should also have this line

access-list 101 permit object-group BGP host host

Give that a shot and let us know.



This Discussion