We are using cisco 7301 with turned on compiled access-lists for a long time, cause it gives significant impact on perfomance, due to long access-list.
But recenlty we've faced a problem, that sometimes when we performing some minor changes in ACLs (usually - add or remove one or two rules in one or two ACLs) system freezes for 60-80 seconds to recompile new configuration, and during this period it inaccessible nor via telnet, nor via console, and almost all "active" services (BGP for example) also doesn't respond. So, there is a question - what can we do to avoid this issue?
Details on system below:
IOS version 12.3(14)T6 (c7301-is-mz.123-14.T6.bin)
Cisco 7301 (NPE) processor (revision E) with 983040K/65536K bytes of memory.
c7301#show access-list compiled | beg ACLs
74 ACLs, 70 active, 6288 builds, 3364 entries, 6456 ms last compile
The symptom points to an IOS bug. It's very possible that may be the case as you are using an ED code.
See if you are seeing the same symptoms consistent with this bug. In this case the turbo ACL was modified when the ACL was applied on the ingress interface.
CSCsa72313 Bug Details
Headline Turbo ACL: SYS-2-INTSCHED with ACL-processed traffic
Feature OTHERS Components Duplicate of
Severity 2 Severity help Status Resolved Status help
First Found-in Version 12.0S, 12.2S, 12.1E, 12.3M, 12.2SIE07, 12.4M All affected versions First Fixed-in Version 12.2(20)S08, 12.2(27)SBA, 12.2(25)S05, 12.2(27)SBB, 12.4(3), 12.4(3.3), 12.4(3.2)T, 12.3(15.11), 12.4(3.3)T, 12.0(32.1)S07, 12.0(32)S04 Version help
Symptoms: The following error messages may be generated on a router that has
Unfortunately, I shouldn't recommend any specific IOS due to technicalities. It's always a good idea to use a GD code but if you have to use an ED code for some reason, then you are well advised to stay with the latest release in that particular train of IOS.
I am sure you know it's always a good practice to remove the ACL from the interface, if possible, before making any modifications to the ACL. This would be very applicable if the device is in the core and lot of traffic is traversing through that interface.
If bug scrub on the IOS didn't match a bug with the same symptoms you are having then engage TAC to get an answer. Assuming, there are no resource constraints or problems in the router when you are experiencing this problem then it very well may be an IOS issue.
We are pleased to announce availability of Beta software for 16.6.3. 16.6.3 will be the second rebuild on the 16.6 release train targeted towards Catalyst 9500/9400/9300/3850/3650 switching platforms. We are looking for early feedback from custome...