Cisco Support Community
cancel
Showing results for 
Search instead for 
Did you mean: 
Announcements

Welcome to Cisco Support Community. We would love to have your feedback.

For an introduction to the new site, click here. And see here for current known issues.

dro
New Member

PIX 6.3(3) TACL's stop working?

Hey all,

I looked around but didn't see this before. I'm running two 515's in failover on 6.3(3).

Over the weekend, the Turbo ACL (only 32 elements) applied to my outside interface stopped working. This happened at 4am, so it wasn't due to any changes in configuration. As a result, all inbound connections to static hosts were refused and logged as denied.

I was able to correct it by removing the ACL and re-applying it to the PIX. The 515 had been running 6.3(3) for a week prior to this happening.

Has anyone seen this before?

Thanks,

-Joshua

8 REPLIES
Silver

Re: PIX 6.3(3) TACL's stop working?

My search for a bug dealing with Turbo ACL's and PIX os 6.3(3) did not return anything. The turbo ACL feature only serves to reduce the size of the ACL. I dont think the ACL's not getting compiled would result in the behaviour you saw. Guess you might be running into some other bug.

dro
New Member

Re: PIX 6.3(3) TACL's stop working?

Yeah, I figured it was a bug. How would one go about reporting bugs to Cisco when maintenance on the device is handled through a third party?

Thanks,

-Joshua

New Member

Re: PIX 6.3(3) TACL's stop working?

Are there any significant benefits in using TurboACL on a ACL with only 32 entries ?

dro
New Member

Re: PIX 6.3(3) TACL's stop working?

Hey All,

I just ran into this problem again on the 525 platform.

A 'show access-list' returns the following corrupted information:

psifw01# show access-list

TurboACL statistics:

ACL State Memory(KB)

----------------------- ----------- ----------

xV4xV4xV4<<<

Operational 5

Shared memory usage: 2058 KB

The problem is corrected by removing the "access-list compiled" statement and re-applying it. After doing so, the PIX allows traffic inbound again and shows the following:

psifw01# show access-list

TurboACL statistics:

ACL State Memory(KB)

----------------------- ----------- ----------

access_outside

Operational 1

NATExclusion

Operational 5

Shared memory usage: 2058 KB

Any ideas?

New Member

Re: PIX 6.3(3) TACL's stop working?

Hi

I´m with this problem over 2 PIX 515E (failover) 6.3 (3) using Turbo ACL, and dropping all traffic for 3 perimeters every month.

Someone has any idea to bypass???

dro
New Member

Re: PIX 6.3(3) TACL's stop working?

You might want to give 6.3(3.133)+ a shot. I haven't experienced these issues with one of the updated maintenance releases.

New Member

Re: PIX 6.3(3) TACL's stop working?

Thank you for your answer.

Where can I get these maintenance releases. I found few references to it at Cisco site and no download links...

Thank you again, Franzin

dro
New Member

Re: PIX 6.3(3) TACL's stop working?

To get a copy of the maintenance release, you need to request it from the TAC. If you don't have a support contract with Cisco anymore, you should still be able to get a copy of the release based on this security advisory:

http://www.cisco.com/warp/public/707/cisco-sa-20040420-tcp-nonios.shtml

Scroll down to the section labeled "Customers without Service Contracts".

I can't guarantee that these new releases fix the problem, but I haven't had the issue occur since I upgraded past 6.3(3).

Regards,

-Joshua

139
Views
0
Helpful
8
Replies