[c-nsp] [c3560g] Not in truth table when modyfing ACL

Mateusz Blaszczyk blahu77 at gmail.com
Mon Jul 6 04:38:58 EDT 2009 

It seems it's a bug that appeared first in 12.2(50)SE and later releases.
To be fixed in SE3, scheduled for release on 23th July.

Best Regards,

-mat

2009/7/3 Tim <tim at selfnet.de>:
> Hi,
>
> Mateusz Blaszczyk wrote:
>> This error message shows up every now end then when adding or modyfing
>> an ACL (with or without access-group config on the SVI):
>>
>> Jun  4 03:33:23.347: %ACLMGR-3-INTTABLE: Not in truth table: VLMAP 9
>> RACL 9 Rtprot 9 Mcb 13 Feat 3
>> Jun  4 03:33:23.347: %ACLMGR-3-INTTABLE: Not in truth table: VLMAP 9
>> RACL 9 Rtprot 9 Mcb 13 Feat 3
>> Jun  4 03:33:23.355: %ACLMGR-3-INTTABLE: Not in truth table: VLMAP 9
>> RACL 9 Rtprot 9 Mcb 13 Feat 3
>> Jun  4 03:33:23.355: %ACLMGR-3-INTTABLE: Not in truth table: VLMAP 9
>> RACL 9 Rtprot 9 Mcb 13 Feat 3
>>
>> Can anyone tell me what is the severity of that problem? google is
>> quite quiet apart from link to cisco's error messages list, which is
>> not really helpful.
>
> I am getting this on several C3750G, but only with inbound ACLs.  Beside
> the error messages, there is indeed a big impact:  the router will
> (sometimes) drop IP packets with a destination IP address located on the
> interface (e.g., a BGP session - the BGP session will NOT come up
> again).  Transit traffic were not affected.  I can reproduce the error
> in my Lab.
>
> I decided to downgrade to 12.2(46)SE, because I need the BGP sessions...
>
> But maybe someone found a solution and/or knows, that Cisco will fix it
> (soon)?
>
> Regards,
>        Tim
> ####################
>
> For the sake of completeness my setup:
>
> IP Service 12.2(50)SE and 12.2(50)SE2
>  on a WS-C3750G-12S-S and WS-C3750G-24TS-S
>
> %ACLMGR-3-INTTABLE: Not in truth table: VLMAP 9 RACL 9 Rtprot 9 Mcb 13
> Feat 3
>
> When I configure an ACL inbound on a routed interface, the Router
> throws this error message.
>
> Also, the router will (sometimes) drop IP packets with a destination IP
> address located on the router (e.g., a BGP session).
>
> Transit traffic is - as far as I can see - not affected.
>
> I can reproduce the error.  With the older IP Advanced Service
> 12.2(46)SE it works fine.
>
> Setup (IP addresses were anonymised):
>              Gi1/0/12
> C3750G-12S-S --------------------------- Uplink Provider
>  |            2.0.0.1/30     2.0.0.2/30
>  |
> 1.16.0.0/16
>
> Config snips:
>
> router bgp 65454
>  bgp router-id 2.0.1.1
>  bgp log-neighbor-changes
>  neighbor 2.0.0.2 remote-as 65000
>  neighbor 2.0.0.2 transport path-mtu-discovery
>  !
>  address-family ipv4
>  neighbor 2.0.0.2 activate
>  neighbor 2.0.0.2 soft-reconfiguration inbound
>  neighbor 2.0.0.2 prefix-list from-UPLINK in
>  neighbor 2.0.0.2 distribute-list 10 out
>  no auto-summary
>  no synchronization
>  network 1.16.0.0 mask 255.255.0.0
>  exit-address-family
> !
> interface GigabitEthernet1/0/12
>  description Uplink
>  no switchport
>  ip address 2.0.0.1 255.255.255.252
>  ip access-group uplink-inbound in
>  ip access-group uplink-outbound out
>  no cdp enable
>  spanning-tree portfast
> !
> ip access-list extended uplink-inbound
>  deny   ip 127.0.0.0 0.255.255.255 any
>  deny   ip 10.0.0.0 0.255.255.255 any
>  deny   ip 172.16.0.0 0.15.255.255 any
>  deny   ip 192.168.0.0 0.0.255.255 any
>  permit ip any 2.0.0.0 0.0.0.3
>  permit ip any 1.16.0.0 0.0.255.255
> !
> ip access-list extended uplink-outbound
>  deny   ip any 127.0.0.0 0.255.255.255
>  deny   ip any 10.0.0.0 0.255.255.255
>  deny   ip any 172.16.0.0 0.15.255.255
>  deny   ip any 192.168.0.0 0.0.255.255
>  permit ip 2.0.0.0 0.0.0.3 any
>  permit ip 1.16.0.0 0.0.255.255 any
> !
>
> It only affects the inbound ACL, example log output:
>
> Jul  3 12:31:14: %PARSER-5-CFGLOG_LOGGEDCMD: User:tim  logged
> command:interface GigabitEthernet1/0/28
> Jul  3 12:31:20: %PARSER-5-CFGLOG_LOGGEDCMD: User:tim  logged command:ip
> access-group uplink-inbound in
> Jul  3 12:31:20: %ACLMGR-3-INTTABLE: Not in truth table: VLMAP 9 RACL 9
> Rtprot 9 Mcb 13 Feat 3
> Jul  3 12:31:20: %ACLMGR-3-INTTABLE: Not in truth table: VLMAP 9 RACL 9
> Rtprot 9 Mcb 13 Feat 3
>
> The error message comes also with an ACL, which does not exist:
>
> Jul  3 12:32:45: %PARSER-5-CFGLOG_LOGGEDCMD: User:tim  logged command:ip
> access-group doesnotexists in
> Jul  3 12:32:45: %ACLMGR-3-INTTABLE: Not in truth table: VLMAP 9 RACL 9
> Rtprot 9 Mcb 13 Feat 3
> Jul  3 12:32:45: %ACLMGR-3-INTTABLE: Not in truth table: VLMAP 9 RACL 9
> Rtprot 9 Mcb 13 Feat 3
>
>
> The only statement from Cisco says:
> """
> Explanation    An unrecoverable software error occurred while trying to
> merge the configured input features. [dec] are internal action codes.
> """ [1]
>
> Also, the "Output Interpreter" does not help.  And the "Bug Toolkit"
> does not show any bug.
>
> [1]
> http://www.cisco.com/en/US/docs/switches/lan/catalyst3750/software/release/12.2_25_see/system/message/msg_desc.html
>
>
>
>

-------------- next part --------------
A non-text attachment was scrubbed...
Name: signature.asc
Type: application/pgp-signature
Size: 270 bytes
Desc: OpenPGP digital signature
URL: <https://puck.nether.net/pipermail/cisco-nsp/attachments/20090706/affbdefb/attachment-0001.bin>

More information about the cisco-nsp mailing list