[nsp] Filter-Id for AS5300

Srdjan Simic srdjan at sezampro.yu
Fri Aug 1 12:20:40 EDT 2003

   Hm :(

   After comparing this, I found out that access list are NOT applied to virtual-access interfaces, even though it says in the "sh ip int" output (on 12.3(1a)):

  Outgoing access list is f20po, default is not set
  Inbound  access list is f20pi, default is not set

   I switched back to 12.2(8)T and filters work. We are using Radius code 11 (Filter-ID). We are using this for VPDN (L2TP).

   Regards Srdjan Simic

-----Original Message-----
From: Mark Tinka [mailto:mtinka at africaonline.co.ug]
Sent: Friday, August 01, 2003 8:48 AM
To: 'Oliver Boehmer (oboehmer)'; Srdjan Simic
Cc: cisco-nsp at puck.nether.net
Subject: RE: [nsp] Filter-Id for AS5300

Oliver Boehmer (oboehmer) wrote:
> Hi,
> I think we are talking about two different problems, even though they
> look similar: 
>> Srdjan Simic wrote:
>>>    We had the same problem. sh run did not show acl, but sh
>>> access-list did, and besides the name there was "(per-user)". This
>>> was with IOS 12.2(8)T and C3640. We were in big trouble, because we
>>> could not save the config. After first lookups, it seems that, when
>>> the router boots, everything is ok. When the first user comes and
>>> requests a filter set, that filter set is removed from running
>>> config. We switched to other IOS and that solved the problem.
>>> Currently we are on 12.3(1a) but we also tried 12.2(17a) and
>>> 12.2(7a) .and
> This problem has been described in CSCdx52334 (and has been fixed in
> 12.2(13)T/12.2(13) and other releases). Every per-user ACL effectivly
> turned on the "per-user" flag on existing ACLs configured on the box
> and thus prevented them from being saved (per-user ACLs are dynamic
> and are never saved).   
>> So you say that after a reboot [I haven't yet tried], the
>> configuration remains intact [albeit invisible], and that the named
>> access list will work even when it doesn't show up in the running
>> configuration.
> No, I doubt this, unless the ACL is present in the startup-config
> (which it isn't if you did a "write" after the box booted). 
>> Well, I am running 12.3(1a) too, but I am exhibiting this problem. I
>> never tried using this named access list on my previous IOS, so I
>> can't really say whether the problem is with 12.3.
> The behaviour you're seeing with 12.3(1a) is definitly a bug and
> needs to be fixed. It could be a race condition, maybe some user's
> profile referenced the ACL before or while (?) it was being defined.
> I also saw this problem with 12.2(2)XB11, but only on one of 100+
> routers using the same config.    
> Can you please try the following: Use "copy tftp startup-config" to
> write a complete config (including the ACL) directly into the NVRAM
> and do a reload. The system will then come up with the ACL, and the
> problem should be solved. If not, it would be very interesting to see
> what triggered the problem, but might be difficult to find out. I'll
> try to repro this internally..     
> Tx,
> 	oli

Hi Oli. Thanks for your response.

I did as you suggested, and copied the configuration from my TFTP server
straight into NVRAM. I reloaded, and it works fine. The configuration is
present in the running-config file, and the (per-user) flag is no longer
present on the show access-list command:

AS5300#sh access-lists emailonly
Extended IP access list emailonly
    10 permit tcp any any eq smtp (14 matches)
    20 permit tcp any any eq pop3 (1207 matches)
    30 permit tcp any any eq domain
    40 permit udp any any eq domain (54 matches)
    50 permit tcp any host x.x.x.x eq www
    60 permit tcp any host x.x.x.x eq www
    70 permit tcp any host x.x.x.x eq www
    80 permit tcp any host x.x.x.x eq 443
    90 permit icmp any any echo (2 matches)
    100 permit icmp any any echo-reply
    110 permit tcp any eq smtp any
    120 permit tcp any eq pop3 any
    130 permit tcp host x.x.x.x eq www any
    140 permit tcp host x.x.x.x eq www any
    150 permit tcp host x.x.x.x eq www any
    160 permit tcp host x.x.x.x eq 443 any
    170 permit tcp any eq domain any
    180 permit udp any eq domain any
    190 deny ip any any (429 matches)

Many thanks for this workaround.


Mark Tinka - CCNA
Network Engineer, Africa Online Uganda

More information about the cisco-nsp mailing list