Re: PIX 6.3(3) TACL's stop working?

dro · ‎09-29-2003

Hey all,

I looked around but didn't see this before. I'm running two 515's in failover on 6.3(3).

Over the weekend, the Turbo ACL (only 32 elements) applied to my outside interface stopped working. This happened at 4am, so it wasn't due to any changes in configuration. As a result, all inbound connections to static hosts were refused and logged as denied.

I was able to correct it by removing the ACL and re-applying it to the PIX. The 515 had been running 6.3(3) for a week prior to this happening.

Has anyone seen this before?

Thanks,

-Joshua

drolemc · ‎10-03-2003

My search for a bug dealing with Turbo ACL's and PIX os 6.3(3) did not return anything. The turbo ACL feature only serves to reduce the size of the ACL. I dont think the ACL's not getting compiled would result in the behaviour you saw. Guess you might be running into some other bug.

dro · ‎10-03-2003

Yeah, I figured it was a bug. How would one go about reporting bugs to Cisco when maintenance on the device is handled through a third party?

Thanks,

-Joshua

jjknuckle · ‎10-03-2003

Are there any significant benefits in using TurboACL on a ACL with only 32 entries ?

dro · ‎02-23-2004

Hey All,

I just ran into this problem again on the 525 platform.

A 'show access-list' returns the following corrupted information:

psifw01# show access-list

TurboACL statistics:

ACL State Memory(KB)

----------------------- ----------- ----------

xV4xV4xV4<<<

Operational 5

Shared memory usage: 2058 KB

The problem is corrected by removing the "access-list compiled" statement and re-applying it. After doing so, the PIX allows traffic inbound again and shows the following:

psifw01# show access-list

TurboACL statistics:

ACL State Memory(KB)

----------------------- ----------- ----------

access_outside

Operational 1

NATExclusion

Operational 5

Shared memory usage: 2058 KB

Any ideas?

franzin · ‎06-29-2004

Hi

I´m with this problem over 2 PIX 515E (failover) 6.3 (3) using Turbo ACL, and dropping all traffic for 3 perimeters every month.

Someone has any idea to bypass???

dro · ‎06-29-2004

You might want to give 6.3(3.133)+ a shot. I haven't experienced these issues with one of the updated maintenance releases.

franzin · ‎06-29-2004

Thank you for your answer.

Where can I get these maintenance releases. I found few references to it at Cisco site and no download links...

Thank you again, Franzin

dro · ‎06-29-2004

To get a copy of the maintenance release, you need to request it from the TAC. If you don't have a support contract with Cisco anymore, you should still be able to get a copy of the release based on this security advisory:

http://www.cisco.com/warp/public/707/cisco-sa-20040420-tcp-nonios.shtml

Scroll down to the section labeled "Customers without Service Contracts".

I can't guarantee that these new releases fix the problem, but I haven't had the issue occur since I upgraded past 6.3(3).

Regards,

-Joshua