[c-nsp] Attaching service-policy (input) to control-plane (ASR1k- IOS XE 03.06.02 S) results in CPP driver lockdown due to fatal-error

Randy randy_94108 at yahoo.com
Thu Jun 11 16:35:03 EDT 2015


Class CM-TTL0/1 references class-map CM-TTL0/1 match-all that denys ip any any for ttl eq 0 and ttl eq 1

The above should be:
Class CM-TTL0/1 references class-map CM-TTL0/1 match-all that denys ip any any for ttl eq 0 and ttl eq 1 via an extended acl that is permit ip any any ttl eq 0 and match ip any any ttl eq 1
./Randy




----- Original Message -----
From: Randy via cisco-nsp <cisco-nsp at puck.nether.net>
To: Cisco-nsp <cisco-nsp at puck.nether.net>
Cc: 
Sent: Thursday, June 11, 2015 1:29 PM
Subject: [c-nsp] Attaching service-policy (input) to control-plane (ASR1k- IOS XE 03.06.02 S) results in CPP driver lockdown due to fatal-error

The fatal condition: CPP driver clientlib error. This obvously causes an antomatic-reload(reload reason: LocalSoft)

Platform: ASR1001 - IOS XE 3.6.2S
Image:universalk9.3.6.2.s - 15.2.2.S2 - advipservices in effect.

the service-policy references a policy-map to exempt(no-action) valid-ttl1 packets and drop all other ttl0/1 packets via "cir 8000 bc 1000 be 1000 conform drop exceed drop violate drop"

Note: the *DROP* action is not available within the policy-map class config; *police* is the only other option.

Class CM-TTL0/1 references class-map CM-TTL0/1 match-all that denys ip any any for ttl eq 0 and ttl eq 1

Cisco tells me this would work ( given there is no direct-drop action ). Well, it doesn't.

a) What am I doing wrong here; config-wise? ( I have multiple other border-routers with the same COPP protection - via the drop-action - difference: they are all IOS not IOS XE.
b) It seems to me like the issue(from going through trace logs) is a bug and it has to do with what-is-expected by the way of a hash; internally for conform, exceed and violate v/s what I configured:

"cir 8000 bc 1000 be 1000 conform drop exceed drop violate drop"

Just a guess.

Has anyone on this list attempted and faced similar behavior? Any work-arounds short of an upgrade?

Relying on the collective-wisdom/experience of this list for an explanation/pointers.
./Randy


_______________________________________________
cisco-nsp mailing list  cisco-nsp at puck.nether.net
https://puck.nether.net/mailman/listinfo/cisco-nsp
archive at http://puck.nether.net/pipermail/cisco-nsp/ 


More information about the cisco-nsp mailing list