IPSA May Manipulate Existing ACLs When It Creates A New One (Doc ID 810273.1)

Last updated on AUGUST 13, 2013

Applies to:

Oracle Communications IP Service Activator - Version: 5.2.4
This problem can occur on any platform.

Symptoms

-- Problem Statement:
In specific circumstances, IPSA deletes and re-creates existing ACLs when it creates a new one.

-- Steps To Reproduce:
Apply Access rule to interface x on PE 1
IPSA creates NamedAcl_0 on PE 1

2009-02-23 11:43:28|10.143.32.48|ip access-list extended NamedAcl_0
2009-02-23 11:43:29|10.143.32.48|permit tcp any gt 23 host 10.167.96.62
2009-02-23 11:43:29|10.143.32.48|permit tcp host 10.167.96.62 any gt 23
2009-02-23 11:43:29|10.143.32.48|permit udp any gt 161 host 10.167.96.62
2009-02-23 11:43:30|10.143.32.48|permit udp host 10.167.96.62 any gt 161
2009-02-23 11:43:30|10.143.32.48|permit ip any any dscp af11
2009-02-23 11:43:31|10.143.32.48|exit
2009-02-23 11:43:31|10.143.32.48|interface Serial1/2
2009-02-23 11:43:31|10.143.32.48|ip access-group NamedAcl_0 in


Create VPN and add 2 interfaces from say y1 PE 1 and y2 PE2

Apply Access Rule to VPN

2009-02-23 11:44:40|10.143.32.44|file-interface|show ip access-list NamedAcl_0
2009-02-23 11:44:40|10.143.32.44|file-interface|show ipv6 access-list NamedAcl_0
2009-02-23 11:44:40|10.143.32.44|file-interface|conf t
2009-02-23 11:44:40|10.143.32.44|file-interface|ip access-list extended NamedAcl_0
2009-02-23 11:44:40|10.143.32.44|file-interface|permit tcp any gt 23 host 10.167.96.62
2009-02-23 11:44:40|10.143.32.44|file-interface|permit tcp host 10.167.96.62 any gt 23
2009-02-23 11:44:40|10.143.32.44|file-interface|permit udp any gt 161 host 10.167.96.62
2009-02-23 11:44:40|10.143.32.44|file-interface|permit udp host 10.167.96.62 any gt 161
2009-02-23 11:44:40|10.143.32.44|file-interface|permit ip any any
2009-02-23 11:44:40|10.143.32.44|file-interface|exit
2009-02-23 11:44:40|10.143.32.44|file-interface|interface Serial1/3
2009-02-23 11:44:40|10.143.32.44|file-interface|ip access-group NamedAcl_0 in


2009-02-23 11:44:44|10.143.32.48|interface Serial1/2
2009-02-23 11:44:44|10.143.32.48|no ip access-group NamedAcl_0 in
2009-02-23 11:44:45|10.143.32.48|exit
2009-02-23 11:44:45|10.143.32.48|ip access-list extended NamedAcl_0
2009-02-23 11:44:45|10.143.32.48|no permit ip any any dscp af11
2009-02-23 11:44:46|10.143.32.48|permit ip any any
2009-02-23 11:44:46|10.143.32.48|exit
2009-02-23 11:44:46|10.143.32.48|ip access-list extended NamedAcl_1
2009-02-23 11:44:47|10.143.32.48|permit tcp any gt 23 host 10.167.96.62
2009-02-23 11:44:47|10.143.32.48|permit tcp host 10.167.96.62 any gt 23
2009-02-23 11:44:48|10.143.32.48|permit udp any gt 161 host 10.167.96.62
2009-02-23 11:44:48|10.143.32.48|permit udp host 10.167.96.62 any gt 161
2009-02-23 11:44:49|10.143.32.48|permit ip any any dscp af11
2009-02-23 11:44:49|10.143.32.48|exit
2009-02-23 11:44:49|10.143.32.48|interface Serial1/3.1
2009-02-23 11:44:50|10.143.32.48|ip access-group NamedAcl_0 in
2009-02-23 11:44:50|10.143.32.48|exit
2009-02-23 11:44:50|10.143.32.48|interface Serial1/2
2009-02-23 11:44:50|10.143.32.48|ip access-group NamedAcl_1 in

On PE1, IPSA deletes NamedAcl_0 and transfers its content to NamedAcl_1 and applies NamedAcl_1 to interface x. Then it creates NamedAcl_0 again and uses it for interface y2.



Cause

Sign In with your My Oracle Support account

Don't have a My Oracle Support account? Click to get started

My Oracle Support provides customers with access to over a
Million Knowledge Articles and hundreds of Community platforms