01-18-2014 10:13 AM
I'm configuring ACEs through the browser on an SG300 in L3, and I keep running into an extremely frustrating situation.
About every nine out of ten times I try to save an ACE, I get a message in red text that says the "Entry Already Exists" -- when it clearly does not exist.
I just tried creating a new (empty) ACL, and adding one ACE. Even with that I get the "Already Exists" message when trying to save the first ACE. I've tried saving and rebooting, blowing away the ACL and starting over, and even creating the base ACL and first few rules through the CLI. Same problem, over and over.
What's up Cisco???
I read a couple of posts here that there is a browser-dependent bug, and only IE works well, but I get the exact failure when using Safari, Firefox and IE9.
When I spoke with Cisco SB tech support he said that he has heard about this but he could only suggest that I blow away the config, and reset the switch to factory default (thanks, but no thanks) or post a message here.
Has any one found a solution to this bug? I've been advocating to my small business clients that they use these switches because the bandwidth is very good and the forwarding is rock-solid, but I'm not going to be able to keep using these switches when it takes hours to make a simple ACE change.
Thanks in advance for your thoughts. -Pat
01-18-2014 03:46 PM
Hi Pat, I've not run across this problem. However, I know a similar situation the error will exist if you're starting with a space in the name.
Unfortunately in my lab environment, all of my switches have been defaulted prior to configuration and in most instances after I'm done configuring.
If there is not a data entry error for the ACL/ACE, would you mind to provide your running config without a password then I may attempt to recreate your error? If I can recreate perhaps I can find a fix or difference from my lab to your situation.
-Tom
Please mark answered for helpful posts
01-18-2014 04:07 PM
Hi Tom.
Thanks for your help. Here's the running config:
L3SW01#sh run
config-file-header
L3SW01
v1.3.5.58 / R750_NIK_1_35_647_358
CLI v1.0
set system mode router
file SSD indicator encrypted
@
ssd-control-start
ssd config
ssd file passphrase control unrestricted
no ssd file integrity control
ssd-control-end cb0a3fdb1f3a1af4e4430033719968c0
!
no spanning-tree
vlan database
vlan 5,80
exit
voice vlan oui-table add 0001e3 Siemens_AG_phone________
voice vlan oui-table add 00036b Cisco_phone_____________
voice vlan oui-table add 00096e Avaya___________________
voice vlan oui-table add 000fe2 H3C_Aolynk______________
voice vlan oui-table add 0060b9 Philips_and_NEC_AG_phone
voice vlan oui-table add 00d01e Pingtel_phone___________
voice vlan oui-table add 00e075 Polycom/Veritel_phone___
voice vlan oui-table add 00e0bb 3Com_phone______________
no ip dhcp snooping verify
ip dhcp snooping vlan 1
ip dhcp snooping vlan 80
arp timeout 600
no ip arp proxy disable
ip dhcp relay address 192.168.1.254
ip dhcp relay enable
ip dhcp information option
bonjour interface range vlan 1
ip access-list extended Wireless
permit udp any 67-68 any any
permit udp any any 192.168.1.254 0.0.0.0 domain
permit icmp 192.168.80.0 0.0.0.255 any echo-reply any
deny ip 192.168.80.0 0.0.0.255 192.168.1.0 0.0.0.255
deny ip 192.168.80.0 0.0.0.255 192.168.5.0 0.0.0.255
deny ip 192.168.80.0 0.0.0.255 192.168.100.0 0.0.0.255
permit ip 192.168.80.0 0.0.0.255 any
exit
hostname L3SW01
logging host 192.168.1.254
logging origin-id string L3SW01
no logging aggregation on
username cisco password encrypted x privilege 15
ip ssh server
snmp-server server
snmp-server location x
snmp-server contact “x”
snmp-server community x rw 192.168.1.119 view Default
snmp-server host 192.168.1.119 traps version 2c x
clock timezone " " -8
clock source sntp
clock source browser
ip domain name rosehaven.private
ip name-server 192.168.1.254 8.8.8.8
ip domain timeout 2
ip domain retry 1
ip telnet server
!
interface vlan 1
ip address 192.168.1.1 255.255.255.0
no ip address dhcp
ip dhcp relay enable
!
interface vlan 5
name ASA
ip address 192.168.5.2 255.255.255.0
!
interface vlan 80
name Wireless
ip address 192.168.80.1 255.255.255.0
ip dhcp relay enable
service-acl input Wireless
!
interface gigabitethernet1
ip dhcp snooping trust
switchport mode access
!
interface gigabitethernet2
description "Trunk Lag-A"
ip dhcp snooping trust
channel-group 1 mode auto
switchport mode access
!
interface gigabitethernet3
description "NAS Lag-A"
ip dhcp snooping trust
channel-group 2 mode auto
switchport mode access
!
interface gigabitethernet4
ip dhcp snooping trust
channel-group 1 mode auto
switchport mode access
!
interface gigabitethernet5
description SecServ
ip dhcp snooping trust
switchport mode access
!
interface gigabitethernet6
description "Panasonic TV"
ip dhcp snooping trust
switchport mode access
!
interface gigabitethernet7
description OPPO
ip dhcp snooping trust
switchport mode access
!
interface gigabitethernet8
description "Apple TV"
ip dhcp snooping trust
switchport mode access
!
interface gigabitethernet9
ip dhcp snooping trust
switchport mode access
!
interface gigabitethernet10
description "Trunk Lag-B"
ip dhcp snooping trust
switchport mode access
!
interface gigabitethernet11
description "NAS Lag-B"
ip dhcp snooping trust
channel-group 2 mode auto
switchport mode access
!
interface gigabitethernet12
ip dhcp snooping trust
!
interface gigabitethernet13
ip dhcp snooping trust
!
interface gigabitethernet14
ip dhcp snooping trust
!
interface gigabitethernet15
ip dhcp snooping trust
!
interface gigabitethernet16
ip dhcp snooping trust
!
interface gigabitethernet17
description APPLE-AP
ip dhcp snooping trust
switchport mode access
switchport access vlan 80
!
interface gigabitethernet18
ip dhcp snooping trust
!
interface gigabitethernet19
description ASA
ip dhcp snooping trust
switchport mode access
switchport access vlan 5
!
interface gigabitethernet20
ip dhcp snooping trust
!
interface Port-channel1
description Trunk
switchport trunk allowed vlan add 80
!
interface Port-channel2
description NAS
switchport mode access
!
exit
ip default-gateway 192.168.5.1
01-18-2014 05:37 PM
Hi Pat, I've loaded your config successfully. The only way I can recreate the error is by repeating the same priority of an existing rule of your current ACE rule table. Per example, you have a rule priority 40. If I duplicate this rule priority, I receive the error that you do. I've added about a dozen rules to your ACL without it breaking and addition I made new ACL/ACE and it also did not break so I think this is what is happening to you.
-Tom
Please mark answered for helpful posts
01-18-2014 06:26 PM
But I get the error when entering the first ACE into a new ACL. And I get the same error, consistently, on all three of the SG300s I have here; a 300-10, 300-20, and 300-28P.
It does occur when I have created, then deleted ACEs (the first time I create an ACL/ACE on a fresh config, I do not get the error), and I do get the error even when I specify higher priority numbers (numbers that have bever been used in any ACLs on that switch).
I noticed, too, that if I create ACLs/ACEs through the CLI, and then view them on the browser, the priority created by the CLI for each ACE increases, regardless of how many ACEs are in any given ACL, and regardless of previous ACEs and ACLs being deleted.
Is there a way to specify priority when entering ACEs through the CLI? I couldn't find that syntax in the CLI manual for the SG300. That might be another way to test the problem -- rather than simply entering the ACEs in order, and letting the SG300 (CLI) assign increasing priority numbers as they are entered.
It's almost like the SG300s are never forgetting about deleted rules (either previous priority numbers and/or previous ACE rules), and flagging any new rule as bad, even if a conflicting rule had been deleted some time ago.
That would also explain tech support's recomendation to reset the switch to factory default and then re-enter the rules.
I just tried to create (through the browser) a new rule #365 to allow 192.168.80.0 0.0.0.255 to access 192.168.1.254 0.0.0.0 via udp dest port 514. That resulted in an "already exists" error. I have never created a rule 365 on this switch, nor does one exist now.
Thanks. -Pat
01-19-2014 03:56 PM
Hi Pat, with your config file I took a stab again to try to get the ACL exist error and I cannot (unless I make a typo error). I guess the only difference is my lab switches has been defaulted after firmware upgrades.
To answer your other question, I do not see a priority / sort syntax for the ACL. I believe it logically assigns them based on the permissions defined by the rule. Mine set some arbitrary values like 385 (for only 1 rule created).
In addition, I did test the theory of a possible bleed-over bug. Where I took the exact rule I made on a test CLI ACL I made, I then wrote the same rules in to an existing ACL with the same priorities. This also did not generate an error for me.
I think you're more than safe to just default your switch and load your config file considering that's what I did with your config file and I can't make the error.
-Tom
Please mark answered for helpful posts
01-20-2014 07:39 AM
Thanks Tom. I'll give that a try and see if it works.
-Pat
03-01-2014 04:17 PM
Resetting the switch back to factory did allow me to start over (obviously). What I am seeing is that once you create ANY ACE with a particular priority number, you can NEVER reuse that number -- regardless of what ACL you are editing. Ok, I can work around that.
More problematic, I am prevented from creating two rules that do the same thing, even if they are going into two different ACLs and with different priority numbers.
That behaviour seems kind of strange. What if you want two different ACLs bound to two different VLANs, but want to allow the same forwarding (DHCP, for instance) before adding the different deny rules? The switch seems to prevent that.
I want to permit udp any host dhcp, in ACLs applied to VLAN1 and VLAN80. Once I have created an ACL called "VL1" and added the permit rule (it works fine), and then try to create another ACL "VL80" with the first rule the permit udp any host dhcp, I get an "Already Exsts" error. I'm using 100 to 200 for VL1, and 300 to 400 for VL80, so the problem can't be a priority-number-reuse problem.
Have you seen this before?
Thanks. -Pat
03-01-2014 04:45 PM
Hi Pat, can you give the exact step to recreate? Prefer through CLI since it's cleaner... but if it is through GUI, can you provide step by step screen shot to reproduce?
-Tom
Please mark answered for helpful posts
http://blogs.cisco.com/smallbusiness/
04-28-2014 04:10 PM
Hi Tom,
It works properly when using the CLI. It appears that the problem is associated with the way that the Web client uses the ACE priority numbers. The switch seems to get confused and believe that many numbers are already used. The CLI does not seem to use priority numbers, but rather assigns priority in the order that the entries are entered (which is Ok, but not great since you have to start completely over to insert an entry mid-priority into an existing ACL).
It looks like Cisco is going to have to try using the client (the SG300 http client) to observe the symptoms.
-Pat
02-03-2017 07:14 PM
Three years later and this hasn't been fixed???
Not too cool, Cisco.
03-27-2014 11:09 AM
I'm having the same problems.
I have 4 vlans:
I can create a rule to allow trafic from 1 host on a specifc port to another vlan. Rule works fine.
When I create a second rule to allow traffic from the same host on another port I get the "already exist error".
Find answers to your questions by entering keywords or phrases in the Search bar above. New here? Use these resources to familiarize yourself with the community: