cancel
Showing results for 
Search instead for 
Did you mean: 

access-list 'established' not working properly in 09.0.10

kpfleming
New Contributor III

Configuration snippets:

vlan 80 name untrusted by port
 untagged ethe 3/1/3 
 ip access-group untrusted in

interface ve 80
 ip address 192.168.80.2/24
ip access-list extended untrusted
 enable accounting

 sequence 10 permit tcp any 192.168.0.0/16 established
 sequence 20 permit icmp any any 
 sequence 30 permit udp any host 192.168.255.2 eq dns 
 sequence 40 permit tcp any host 192.168.255.2 eq dns 
 sequence 50 permit udp any host 192.168.255.1 eq ntp 
 sequence 60 permit tcp any host 192.168.64.113 eq ssl 
 sequence 70 deny tcp any 192.168.0.0/16 
 sequence 80 deny udp any 192.168.0.0/16 

 sequence 90 permit tcp any any 
 sequence 100 permit udp any any

System attached to 3/1/3 has IP address 192.168.68.200/24, with its gateway set to 192.168.80.2.

With the above access-list that system is able to open TCP connections to 192.168.1.1, even though the initial SYN packet should not count as 'established'. If I remove the sequence 10 filter from the access-list, the system is no longer able to open such connections.

7 REPLIES 7

hashim_bharooc1
RUCKUS Team Member

Hi Kevin,

Hope you are doing Great.

sequence 10 should not allow sync and sequence 70 will block everything.

Can you please go with 809k code?

This will need to be lab tested and fixed in the code.

Here is the link to the target poath

https://docs.commscope.com/bundle/ruckus-fi-target-path/page/GUID-7574F40A-91F5-4E4A-8C54-76E33C7D07...

Hope this helps.

Sorry for the inconvenience.

Thanks

Best Regards

Hashim

Thanks

Best Regards

Hashim

Thanks for the quick response! Unfortunately I'm not able to use the 08 firmware, and I experienced very unusual problems with IPv6 routing with that firmware and the 09 firmware does not have those problems... and I don't have a lab environment in which to test alternative firmware versions 🙂

I believe I'll be able to work around this problem though by using a 'mirror' filter in the access-list in the VLAN where the connections originate (which land in VLAN 80). I'll experiment with that.

Ahh, ignore that, I misunderstood what 'mirror' does in access-list filters. I thought it was related to reflexive filters, but it's not.

vu_pham_ghtztqm
New Contributor III

Hi Kevin - We did some tests in the lab and found a workaround for this issue. It seems like a bug in this area, and we need to investigate further. For sequence 10, please use /24 instead of /16. Keep sequence 70/80 with /16 for now. 

Also, we need to clarify this statement from your initial post: "System attached to 3/1/3 has IP address 192.168.68.200/24, with its gateway set to 192.168.80.2." We would assume you meant 192.168.80.200/24 for the host?

Please see the workaround below.

config t

ip access-list extended untrusted

no sequence 10

sequence 10 permit tcp any 192.168.80.0/24 established

Please try this and let us know if it helped.

Thank you,

Vu Pham 

Principal Technical Support Engineer 

Shift hours: 08:00-17:00 US Central (Mon-Fri) 

CommScope 

https://www.commscope.com/