Attaching service-policy (input) to control-plane (ASR1k- IOS XE 03.06.02 S) results in CPP driver lockdown due to fatal-error

Randy randy_94108 at
Thu Jun 11 16:28:43 EDT 2015

The fatal condition: CPP driver clientlib error. This obvously causes an antomatic-reload(reload reason: LocalSoft)

Platform: ASR1001 - IOS XE 3.6.2S
Image:universalk9.3.6.2.s - 15.2.2.S2 - advipservices in effect.

the service-policy references a policy-map to exempt(no-action) valid-ttl1 packets and drop all other ttl0/1 packets via "cir 8000 bc 1000 be 1000 conform drop exceed drop violate drop"

Note: the *DROP* action is not available within the policy-map class config; *police* is the only other option.

Class CM-TTL0/1 references class-map CM-TTL0/1 match-all that denys ip any any for ttl eq 0 and ttl eq 1

Cisco tells me this would work ( given there is no direct-drop action ). Well, it doesn't.

a) What am I doing wrong here; config-wise? ( I have multiple other border-routers with the same COPP protection - via the drop-action - difference: they are all IOS not IOS XE.
b) It seems to me like the issue(from going through trace logs) is a bug and it has to do with what-is-expected by the way of a hash; internally for conform, exceed and violate v/s what I configured:

"cir 8000 bc 1000 be 1000 conform drop exceed drop violate drop"

Just a guess.

Has anyone on this list attempted and faced similar behavior? Any work-arounds short of an upgrade?

Relying on the collective-wisdom/experience of this list for an explanation/pointers.

More information about the cisco-nsp mailing list