cancel
Showing results for 
Search instead for 
Did you mean: 
cancel
2985
Views
0
Helpful
11
Replies

SG300 ACE Creation "Already Exists" ?????

Pat Fahey
Level 1
Level 1

I'm configuring ACEs through the browser on an SG300 in L3, and I keep running into an extremely frustrating situation.

About every nine out of ten times I try to save an ACE, I get a message in red text that says the "Entry Already Exists" -- when it clearly does not exist. 

I just tried creating a new (empty) ACL, and adding one ACE.  Even with that I get the "Already Exists" message when trying to save the first ACE.  I've tried saving and rebooting, blowing away the ACL and starting over, and even creating the base ACL and first few rules through the CLI.  Same problem, over and over.

What's up Cisco???

I read a couple of posts here that there is a browser-dependent bug, and only IE works well, but I get the exact failure when using Safari, Firefox and IE9.

When I spoke with Cisco SB tech support he said that he has heard about this but he could only suggest that I blow away the config, and reset the switch to factory default (thanks, but no thanks) or post a message here.

Has any one found a solution to this bug?  I've been advocating to my small business clients that they use these switches because the bandwidth is very good and the forwarding is rock-solid, but I'm not going to be able to keep using these switches when it takes hours to make a simple ACE change.

Thanks in advance for your thoughts.  -Pat

11 Replies 11

Tom Watts
VIP Alumni
VIP Alumni

Hi Pat, I've not run across this problem. However, I know a similar situation the error will exist if you're starting with a space in the name.

Unfortunately in my lab environment, all of my switches have been defaulted prior to configuration and in most instances after I'm done configuring.

If there is not a data entry error for the ACL/ACE, would you mind to provide your running config without a password then I may attempt to recreate your error? If I can recreate perhaps I can find a fix or difference from my lab to your situation.

-Tom
Please mark answered for helpful posts

-Tom Please mark answered for helpful posts http://blogs.cisco.com/smallbusiness/

Hi Tom.

Thanks for your help.  Here's the running config:

L3SW01#sh run

config-file-header

L3SW01

v1.3.5.58 / R750_NIK_1_35_647_358

CLI v1.0

set system mode router

file SSD indicator encrypted

@

ssd-control-start

ssd config

ssd file passphrase control unrestricted

no ssd file integrity control

ssd-control-end cb0a3fdb1f3a1af4e4430033719968c0

!

no spanning-tree

vlan database

vlan 5,80

exit

voice vlan oui-table add 0001e3 Siemens_AG_phone________

voice vlan oui-table add 00036b Cisco_phone_____________

voice vlan oui-table add 00096e Avaya___________________

voice vlan oui-table add 000fe2 H3C_Aolynk______________

voice vlan oui-table add 0060b9 Philips_and_NEC_AG_phone

voice vlan oui-table add 00d01e Pingtel_phone___________

voice vlan oui-table add 00e075 Polycom/Veritel_phone___

voice vlan oui-table add 00e0bb 3Com_phone______________

no ip dhcp snooping verify

ip dhcp snooping vlan 1

ip dhcp snooping vlan 80

arp timeout 600

no ip arp proxy disable

ip dhcp relay address 192.168.1.254

ip dhcp relay enable

ip dhcp information option

bonjour interface range vlan 1

ip access-list extended Wireless

permit udp any 67-68 any any                         

permit udp any any 192.168.1.254 0.0.0.0 domain

permit icmp 192.168.80.0 0.0.0.255 any echo-reply any

deny ip 192.168.80.0 0.0.0.255 192.168.1.0 0.0.0.255

deny ip 192.168.80.0 0.0.0.255 192.168.5.0 0.0.0.255

deny ip 192.168.80.0 0.0.0.255 192.168.100.0 0.0.0.255

permit ip 192.168.80.0 0.0.0.255 any

exit

hostname L3SW01

logging host 192.168.1.254

logging origin-id string L3SW01

no logging aggregation on

username cisco password encrypted x privilege 15

ip ssh server

snmp-server server

snmp-server location x

snmp-server contact “x”

snmp-server community x rw 192.168.1.119 view Default

snmp-server host 192.168.1.119 traps version 2c x

clock timezone " " -8

clock source sntp

clock source browser

ip domain name rosehaven.private                     

ip name-server  192.168.1.254 8.8.8.8

ip domain timeout 2

ip domain retry 1

ip telnet server

!

interface vlan 1

ip address 192.168.1.1 255.255.255.0

no ip address dhcp

ip dhcp relay enable

!

interface vlan 5

name ASA

ip address 192.168.5.2 255.255.255.0

!

interface vlan 80

name Wireless

ip address 192.168.80.1 255.255.255.0

ip dhcp relay enable

service-acl input Wireless

!

interface gigabitethernet1

ip dhcp snooping trust                              

switchport mode access

!

interface gigabitethernet2

description "Trunk Lag-A"

ip dhcp snooping trust

channel-group 1 mode auto

switchport mode access

!

interface gigabitethernet3

description "NAS Lag-A"

ip dhcp snooping trust

channel-group 2 mode auto

switchport mode access

!

interface gigabitethernet4

ip dhcp snooping trust

channel-group 1 mode auto

switchport mode access

!

interface gigabitethernet5

description SecServ

ip dhcp snooping trust                              

switchport mode access

!

interface gigabitethernet6

description "Panasonic TV"

ip dhcp snooping trust

switchport mode access

!

interface gigabitethernet7

description OPPO

ip dhcp snooping trust

switchport mode access

!

interface gigabitethernet8

description "Apple TV"

ip dhcp snooping trust

switchport mode access

!

interface gigabitethernet9

ip dhcp snooping trust

switchport mode access

!

interface gigabitethernet10                          

description "Trunk Lag-B"

ip dhcp snooping trust

switchport mode access

!

interface gigabitethernet11

description "NAS Lag-B"

ip dhcp snooping trust

channel-group 2 mode auto

switchport mode access

!

interface gigabitethernet12

ip dhcp snooping trust

!

interface gigabitethernet13

ip dhcp snooping trust

!

interface gigabitethernet14

ip dhcp snooping trust

!

interface gigabitethernet15

ip dhcp snooping trust

!                                                    

interface gigabitethernet16

ip dhcp snooping trust

!

interface gigabitethernet17

description APPLE-AP

ip dhcp snooping trust

switchport mode access

switchport access vlan 80

!

interface gigabitethernet18

ip dhcp snooping trust

!

interface gigabitethernet19

description ASA

ip dhcp snooping trust

switchport mode access

switchport access vlan 5

!

interface gigabitethernet20

ip dhcp snooping trust

!

interface Port-channel1                              

description Trunk

switchport trunk allowed vlan add 80

!

interface Port-channel2

description NAS

switchport mode access

!

exit

ip default-gateway 192.168.5.1

Hi Pat, I've loaded your config successfully. The only way I can recreate the error is by repeating the same priority of an existing rule of your current ACE rule table. Per example, you have a rule priority 40. If I duplicate this rule priority, I receive the error that you do.  I've added about a dozen rules to your ACL without it breaking and addition I made new ACL/ACE and it also did not break so I think this is what is happening to you.

-Tom
Please mark answered for helpful posts

-Tom Please mark answered for helpful posts http://blogs.cisco.com/smallbusiness/

But I get the error when entering the first ACE into a new ACL.  And I get the same error, consistently, on all three of the SG300s I have here; a 300-10, 300-20, and 300-28P.

It does occur when I have created, then deleted ACEs (the first time I create an ACL/ACE on a fresh config, I do not get the error), and I do get the error even when I specify higher priority numbers (numbers that have bever been used in any ACLs on that switch). 

I noticed, too, that if I create ACLs/ACEs through the CLI, and then view them on the browser, the priority created by the CLI for each ACE increases, regardless of how many ACEs are in any given ACL, and regardless of previous ACEs and ACLs being deleted.

Is there a way to specify priority when entering ACEs through the CLI?  I couldn't find that syntax in the CLI manual for the SG300.  That might be another way to test the problem -- rather than simply entering the ACEs in order, and letting the SG300 (CLI) assign increasing priority numbers as they are entered.

It's almost like the SG300s are never forgetting about deleted rules (either previous priority numbers and/or previous ACE rules), and flagging any new rule as bad, even if a conflicting rule had been deleted some time ago.

That would also explain tech support's recomendation to reset the switch to factory default and then re-enter the rules.

Screen Shot 2014-01-18 at 6.19.59 PM.png

I just tried to create (through the browser) a new rule #365 to allow 192.168.80.0 0.0.0.255 to access 192.168.1.254 0.0.0.0 via udp dest port 514.  That resulted in an "already exists" error.  I have never created a rule 365 on this switch, nor does one exist now.

Thanks.  -Pat

Hi Pat, with your config file I took a stab again to try to get the ACL exist error and I cannot (unless I make a typo error). I guess the only difference is my lab switches has been defaulted after firmware upgrades.

To answer your other question, I do not see a priority / sort syntax for the ACL. I believe it logically assigns them based on the permissions defined by the rule. Mine set some arbitrary values like 385 (for only 1 rule created).

In addition, I did test the theory of a possible bleed-over bug. Where I took the exact rule I made on a test CLI ACL I made, I then wrote the same rules in to an existing ACL with the same priorities. This also did not generate an error for me.

I think you're more than safe to just default your switch and load your config file considering that's what I did with your config file and I can't make the error.

-Tom
Please mark answered for helpful posts

-Tom Please mark answered for helpful posts http://blogs.cisco.com/smallbusiness/

Thanks Tom.  I'll give that a try and see if it works.

-Pat

Resetting the switch back to factory did allow me to start over (obviously).  What I am seeing is that once you create ANY ACE with a particular priority number, you can NEVER reuse that number -- regardless of what ACL you are editing.  Ok, I can work around that.

More problematic, I am prevented from creating two rules that do the same thing, even if they are going into two different ACLs and with different priority numbers. 

That behaviour seems kind of strange.  What if you want two different ACLs bound to two different VLANs, but want to allow the same forwarding (DHCP, for instance) before adding the different deny rules?  The switch seems to prevent that.

I want to permit udp any host dhcp, in ACLs applied to VLAN1 and VLAN80.  Once I have created an ACL called "VL1" and added the permit rule (it works fine), and then try to create another ACL "VL80" with the first rule the permit udp any host dhcp, I get an "Already Exsts" error.  I'm using 100 to 200 for VL1, and 300 to 400 for VL80, so the problem can't be a priority-number-reuse problem.

Have you seen this before?

Thanks. -Pat

Hi Pat, can you give the exact step to recreate? Prefer through CLI since it's cleaner... but if it is through GUI, can you provide step by step screen shot to reproduce?

-Tom
Please mark answered for helpful posts
http://blogs.cisco.com/smallbusiness/

-Tom Please mark answered for helpful posts http://blogs.cisco.com/smallbusiness/

Hi Tom,

It works properly when using the CLI.  It appears that the problem is associated with the way that the Web client uses the ACE priority numbers.  The switch seems to get confused and believe that many numbers are already used.  The CLI does not seem to use priority numbers, but rather assigns priority in the order that the entries are entered (which is Ok, but not great since you have to start completely over to insert an entry mid-priority into an existing ACL).  

It looks like Cisco is going to have to try using the client (the SG300 http client) to observe the symptoms.

-Pat

Three years later and this hasn't been fixed???

Not too cool, Cisco.

Dintid6414
Level 1
Level 1

I'm having the same problems.

I have 4 vlans:

I can create a rule to allow trafic from 1 host on a specifc port to another vlan. Rule works fine.

When I create a second rule to allow traffic from the same host on another port I get the "already exist error".

Getting Started

Find answers to your questions by entering keywords or phrases in the Search bar above. New here? Use these resources to familiarize yourself with the community:

Switch products supported in this community
Cisco Business Product Family
  • CBS110
  • CBS220
  • CBS250
  • CBS350
Cisco Switching Product Family
  • 110
  • 200
  • 220
  • 250
  • 300
  • 350
  • 350X
  • 550X