THIS FIELD NOTICE IS PROVIDED ON AN "AS IS" BASIS AND DOES NOT IMPLY ANY KIND OF GUARANTEE OR WARRANTY, INCLUDING THE WARRANTY OF MERCHANTABILITY. YOUR USE OF THE INFORMATION ON THE FIELD NOTICE OR MATERIALS LINKED FROM THE FIELD NOTICE IS AT YOUR OWN RISK. CISCO RESERVES THE RIGHT TO CHANGE OR UPDATE THIS FIELD NOTICE AT ANY TIME.
Revision | Publish Date | Comments |
---|---|---|
1.3 |
24-May-22 |
Update Problem Symptoms section |
1.2 |
29-Mar-22 |
Updated the Products Affected Section |
1.1 |
12-Mar-22 |
Updated the Products Affected Section |
1.0 |
25-Feb-22 |
Initial Release |
Affected OS Type | Affected Software Product | Affected Release | Affected Release Number | Comments |
---|---|---|---|---|
NON-IOS |
NX-OS System Software-ACI |
14.2 |
14.2(1i), 14.2(1j), 14.2(1l), 14.2(2e), 14.2(2f), 14.2(2g), 14.2(3j), 14.2(3l), 14.2(3n), 14.2(3q), 14.2(4i), 14.2(4k), 14.2(4o), 14.2(4p), 14.2(5k), 14.2(5l), 14.2(5n), 14.2(6d), 14.2(6g), 14.2(6h), 14.2(6l), 14.2(6o), 14.2(7f), 14.2(7l), 14.2(7q), 14.2(7r), 14.2(7s) |
|
NON-IOS |
APIC Software |
5.0 |
5.0(1k), 5.0(1l), 5.0(2e), 5.0(2h) |
|
NON-IOS |
APIC Software |
5.1 |
5.1(1h), 5.1(2e), 5.1(3e), 5.1(4c) |
|
NON-IOS |
APIC Software |
5.2 |
5.2(1g), 5.2(2e), 5.2(2f) |
|
NON-IOS |
NX-OS System Software-ACI |
14.0 |
14.0(1h), 14.0(2c), 14.0(3c), 14.0(3d) |
|
NON-IOS |
NX-OS System Software-ACI |
13.2 |
13.2(10e), 13.2(10f), 13.2(1l), 13.2(1m), 13.2(2l), 13.2(2o), 13.2(3i), 13.2(3j), 13.2(3n), 13.2(3o), 13.2(3r), 13.2(3s), 13.2(41d), 13.2(4d), 13.2(4e), 13.2(5d), 13.2(5e), 13.2(5f), 13.2(6i), 13.2(7f), 13.2(7k), 13.2(8d), 13.2(9b), 13.2(9f) |
|
NON-IOS |
NX-OS System Software-ACI |
13.1 |
13.1(1i), 13.1(2m), 13.1(2o), 13.1(2p), 13.1(2q), 13.1(2s), 13.1(2t), 13.1(2u), 13.1(2v) |
|
NON-IOS |
NX-OS System Software-ACI |
13.0 |
13.0(1k), 13.0(2h), 13.0(2k), 13.0(2n) |
|
NON-IOS |
NX-OS System Software-ACI |
12.3 |
12.3(1e), 12.3(1f), 12.3(1i), 12.3(1l), 12.3(1o), 12.3(1p) |
|
NON-IOS |
NX-OS System Software-ACI |
12.2 |
12.2(1n), 12.2(1o), 12.2(2e), 12.2(2f), 12.2(2i), 12.2(2j), 12.2(2k), 12.2(2q), 12.2(3j), 12.2(3p), 12.2(3r), 12.2(3s), 12.2(3t), 12.2(4f), 12.2(4p), 12.2(4q), 12.2(4r) |
|
NON-IOS |
NX-OS System Software-ACI |
12.1 |
12.1(1h), 12.1(1i), 12.1(2e), 12.1(2g), 12.1(2k), 12.1(3g), 12.1(3h) |
|
NON-IOS |
NX-OS System Software-ACI |
12.0 |
12.0(1m), 12.0(1n), 12.0(1o), 12.0(1p), 12.0(1q), 12.0(1r), 12.0(2f), 12.0(2g), 12.0(2h), 12.0(2l), 12.0(2m), 12.0(2n), 12.0(2o) |
|
NON-IOS |
NX-OS System Software-ACI |
11.3 |
11.3(1g), 11.3(1h), 11.3(1i), 11.3(1j), 11.3(2f), 11.3(2h), 11.3(2i), 11.3(2j), 11.3(2k) |
|
NON-IOS |
NX-OS System Software-ACI |
11.2 |
11.2(1i), 11.2(1k), 11.2(1m), 11.2(2g), 11.2(2h), 11.2(2i), 11.2(2j), 11.2(3c), 11.2(3e), 11.2(3h), 11.2(3m) |
|
NON-IOS |
NX-OS System Software-ACI |
11.1 |
11.1(1j), 11.1(1o), 11.1(1r), 11.1(1s), 11.1(2h), 11.1(2i), 11.1(3f), 11.1(4e), 11.1(4f), 11.1(4g), 11.1(4i), 11.1(4l), 11.1(4m) |
|
NON-IOS |
NX-OS System Software-ACI |
11.0 |
11.0(1b), 11.0(1c), 11.0(1d), 11.0(1e), 11.0(2j), 11.0(2m), 11.0(3f), 11.0(3i), 11.0(3k), 11.0(3n), 11.0(3o), 11.0(4h), 11.0(4o), 11.0(4q) |
|
NON-IOS |
NX-OS System Software-ACI |
15.2 |
15.2(1g), 15.2(2e), 15.2(2f) |
|
NON-IOS |
NX-OS System Software-ACI |
15.1 |
15.1(1h), 15.1(2e), 15.1(3e), 15.1(4c) |
|
NON-IOS |
NX-OS System Software-ACI |
15.0 |
15.0(1k), 15.0(1l), 15.0(2e), 15.0(2h) |
|
NON-IOS |
NX-OS System Software-ACI |
14.1 |
14.1(1i), 14.1(1j), 14.1(1k), 14.1(1l), 14.1(2g), 14.1(2m), 14.1(2o), 14.1(2s), 14.1(2u), 14.1(2w), 14.1(2x) |
Defect ID | Headline |
---|---|
CSCvz65560 | add/update contract with TCP port 22 cause switch rule disable if APIC is 5.x but switch is 14.x |
In a mixed version fabric in which the Cisco Application Policy Infrastructure Controller (APIC) runs a 5.x release and the switches run a 14.x or earlier release, the behavior detailed in the Problem Symptom section can be encountered at the addition/update/association of a contract with a TCP filter that has a port range value of "22" (that is, the port value for SSH).
We have identified a software issue with your selected release which can affect the use of this software. Review this field notice in order to determine if the issue applies to your environment. You can proceed to download this software if you have no concerns with the issue.
For more comprehensive information about what is included in this software, refer to Cisco Application Policy Infrastructure Controller (APIC).
In a mixed version fabric in which the Cisco APIC runs a 5.x release and the switches run a 14.x or earlier release, incorrect behavior can be encountered at the addition/update/association of a contract with a TCP filter that has a port range value of "22" (that is, the port value for SSH). The incorrect behaviors are:
If the TCP port filter is defined as a range of x-22, where x is between 1 and 21, then this mixed mode causes the switch's security policy (zoning rule) to become disabled. This causes network disruption.
If the TCP port range is 22-22 (that is, exactly matches port 22), then this mixed mode causes the switch's security policy (zoning rule) to be incorrectly programmed to allow all TCP traffic instead of permitting SSH only.
An upgrade to the Cisco APIC to a 5.x release without making the contract configuration changes does not trigger these problems.
Conditions
This issue is triggered when these conditions are met:
The Cisco APIC runs a 5.x release while the switches run a 14.x or earlier release.
The Cisco APIC runs a 5.x release other than 5.0(1k) or 5.0(1l) while the switches run the 15.0(1k) or 15.0(1l) release.
The contract contains at least one TCP filter with source To Port (sToPort) ="ssh" or destination To Port (dToPort) ="ssh".
You perform an add/update/association with the contract, or you clean reboot the switches that deployed the contract.
Avoid the use of port 22 in the contract's TCP port range. For example, if the TCP port range is 20-22, change it to 20-23.
Alternatively, freeze the Cisco APIC contract configuration changes (add/update/association) until all switches are upgraded to a 15.x release. Do not clean reboot any switches that have the previously mentioned contract deployed.
If you require further assistance, or if you have any further questions regarding this field notice, please contact the Cisco Systems Technical Assistance Center (TAC) by one of the following methods:
My Notifications—Set up a profile to receive email updates about reliability, safety, network security, and end-of-sale issues for the Cisco products you specify.
Unleash the Power of TAC's Virtual Assistance