cancel
Showing results for 
Search instead for 
Did you mean: 
cancel
2207
Views
0
Helpful
2
Replies

"% Duplicate ACE present after expansion.Aborting ACE addition!"

nathan.edwards1
Level 1
Level 1

I have three very large object groups that I'm trying to deny in an access-list.  If I create the object groups and then attempt to deny them in an ACL I get a "% Duplicate ACE present after expansion.Aborting ACE addition!" error. However, if I create the object groups with just the first couple objects in each group, deny the groups in the ACL and then finish building the object groups I do not get a duplicate error.  Am I correct in understanding the error as saying that there is a duplicated network between the groups?  If so, why do I not see them when adding the networks to the object groups after they are already applied to the ACL?

1 Accepted Solution

Accepted Solutions

InayathUlla Sharieff
Cisco Employee
Cisco Employee

Nathan,

CSCto56118
Symptom:

A duplicate ACE can be introduced in an ACL if the duplicate entry is added via an object-group. The parser will not detect/reject this dplicate ACE configuration.

When the 6500 is reloaded and the ACL gets configured again during bootup, the duplicate ACE does get detected as expected. This can lead to a different access-list behavior before and after the reload of the 6500.

Conditions:

Platform: 6500
Software: 12.2(33)SXI

Example:

# Configure object-group
Cat6500(config)#object-group ip address GRPTEST
Cat6500(config-ipaddr-ogroup)# host-info 10.10.10.10

# Configure an ACL that uses this object-group
Cat6500(config)#ip access-list extended GRPTEST
Cat6500(config-ext-nacl)# permit tcp host 10.11.11.11 host
10.12.12.12 eq 22
Cat6500(config-ext-nacl)# permit tcp addrgroup GRPTEST host
10.12.12.12 eq 22

# Update the object-group with an entry which already exists in the ACL
# This config change to the object-group is accepted  (should not)
Cat6500(config)#object-group ip address GRPTEST
Cat6500(config-ipaddr-ogroup)# host-info 10.11.11.11

Cat6500#show access-lists GRPTEST
Extended IP access list GRPTEST
    10 permit tcp host 10.11.11.11 host 10.12.12.12 eq 22
    20 permit tcp addrgroup GRPTEST host 10.12.12.12 eq 22


# When reconfiguring the same ACL again, the duplicate ACE does get
detected
# The config is not accepted as expected
dr1.sto1.int(config)#no ip access-list extended GRPTEST
dr1.sto1.int(config)#ip access-list extended GRPTEST
dr1.sto1.int(config-ext-nacl)# permit tcp host 10.11.11.11 host
10.12.12.12 eq 22
dr1.sto1.int(config-ext-nacl)# permit tcp addrgroup GRPTEST host
10.12.12.12 eq 22
% Duplicate ACE present after expansion.Aborting ACE addition!


Workaround:

Check your ACLs to make sure you are not adding duplicate entries via an object-group

HTH

Regards

Inayath

*Plz rate all the usefull posts.

View solution in original post

2 Replies 2

InayathUlla Sharieff
Cisco Employee
Cisco Employee

Nathan,

CSCto56118
Symptom:

A duplicate ACE can be introduced in an ACL if the duplicate entry is added via an object-group. The parser will not detect/reject this dplicate ACE configuration.

When the 6500 is reloaded and the ACL gets configured again during bootup, the duplicate ACE does get detected as expected. This can lead to a different access-list behavior before and after the reload of the 6500.

Conditions:

Platform: 6500
Software: 12.2(33)SXI

Example:

# Configure object-group
Cat6500(config)#object-group ip address GRPTEST
Cat6500(config-ipaddr-ogroup)# host-info 10.10.10.10

# Configure an ACL that uses this object-group
Cat6500(config)#ip access-list extended GRPTEST
Cat6500(config-ext-nacl)# permit tcp host 10.11.11.11 host
10.12.12.12 eq 22
Cat6500(config-ext-nacl)# permit tcp addrgroup GRPTEST host
10.12.12.12 eq 22

# Update the object-group with an entry which already exists in the ACL
# This config change to the object-group is accepted  (should not)
Cat6500(config)#object-group ip address GRPTEST
Cat6500(config-ipaddr-ogroup)# host-info 10.11.11.11

Cat6500#show access-lists GRPTEST
Extended IP access list GRPTEST
    10 permit tcp host 10.11.11.11 host 10.12.12.12 eq 22
    20 permit tcp addrgroup GRPTEST host 10.12.12.12 eq 22


# When reconfiguring the same ACL again, the duplicate ACE does get
detected
# The config is not accepted as expected
dr1.sto1.int(config)#no ip access-list extended GRPTEST
dr1.sto1.int(config)#ip access-list extended GRPTEST
dr1.sto1.int(config-ext-nacl)# permit tcp host 10.11.11.11 host
10.12.12.12 eq 22
dr1.sto1.int(config-ext-nacl)# permit tcp addrgroup GRPTEST host
10.12.12.12 eq 22
% Duplicate ACE present after expansion.Aborting ACE addition!


Workaround:

Check your ACLs to make sure you are not adding duplicate entries via an object-group

HTH

Regards

Inayath

*Plz rate all the usefull posts.

Right on InayathUlla!

Thanks,

Nate

Getting Started

Find answers to your questions by entering keywords or phrases in the Search bar above. New here? Use these resources to familiarize yourself with the community: