Field Notice: FN - 72334 - Contract with TCP Filter Port Range Might Behave Unexpectedly in ACI Switches Release 14.x or Earlier - Software Upgrade Recommended

Available Languages

Updated:May 25, 2022
Document ID:FN72334

Bias-Free Language

The documentation set for this product strives to use bias-free language. For the purposes of this documentation set, bias-free is defined as language that does not imply discrimination based on age, disability, gender, racial identity, ethnic identity, sexual orientation, socioeconomic status, and intersectionality. Exceptions may be present in the documentation due to language that is hardcoded in the user interfaces of the product software, language used based on RFP documentation, or language that is used by a referenced third-party product. Learn more about how Cisco is using Inclusive Language.

Notice

THIS FIELD NOTICE IS PROVIDED ON AN "AS IS" BASIS AND DOES NOT IMPLY ANY KIND OF GUARANTEE OR WARRANTY, INCLUDING THE WARRANTY OF MERCHANTABILITY. YOUR USE OF THE INFORMATION ON THE FIELD NOTICE OR MATERIALS LINKED FROM THE FIELD NOTICE IS AT YOUR OWN RISK. CISCO RESERVES THE RIGHT TO CHANGE OR UPDATE THIS FIELD NOTICE AT ANY TIME.

Revision History

Revision Publish Date Comments
1.3
24-May-22
Update Problem Symptoms section
1.2
29-Mar-22
Updated the Products Affected Section
1.1
12-Mar-22
Updated the Products Affected Section
1.0
25-Feb-22
Initial Release

Products Affected

Affected OS Type Affected Software Product Affected Release Affected Release Number Comments
NON-IOS
NX-OS System Software-ACI
14.2
14.2(1i), 14.2(1j), 14.2(1l), 14.2(2e), 14.2(2f), 14.2(2g), 14.2(3j), 14.2(3l), 14.2(3n), 14.2(3q), 14.2(4i), 14.2(4k), 14.2(4o), 14.2(4p), 14.2(5k), 14.2(5l), 14.2(5n), 14.2(6d), 14.2(6g), 14.2(6h), 14.2(6l), 14.2(6o), 14.2(7f), 14.2(7l), 14.2(7q), 14.2(7r), 14.2(7s)
NON-IOS
APIC Software
5.0
5.0(1k), 5.0(1l), 5.0(2e), 5.0(2h)
NON-IOS
APIC Software
5.1
5.1(1h), 5.1(2e), 5.1(3e), 5.1(4c)
NON-IOS
APIC Software
5.2
5.2(1g), 5.2(2e), 5.2(2f)
NON-IOS
NX-OS System Software-ACI
14.0
14.0(1h), 14.0(2c), 14.0(3c), 14.0(3d)
NON-IOS
NX-OS System Software-ACI
13.2
13.2(10e), 13.2(10f), 13.2(1l), 13.2(1m), 13.2(2l), 13.2(2o), 13.2(3i), 13.2(3j), 13.2(3n), 13.2(3o), 13.2(3r), 13.2(3s), 13.2(41d), 13.2(4d), 13.2(4e), 13.2(5d), 13.2(5e), 13.2(5f), 13.2(6i), 13.2(7f), 13.2(7k), 13.2(8d), 13.2(9b), 13.2(9f)
NON-IOS
NX-OS System Software-ACI
13.1
13.1(1i), 13.1(2m), 13.1(2o), 13.1(2p), 13.1(2q), 13.1(2s), 13.1(2t), 13.1(2u), 13.1(2v)
NON-IOS
NX-OS System Software-ACI
13.0
13.0(1k), 13.0(2h), 13.0(2k), 13.0(2n)
NON-IOS
NX-OS System Software-ACI
12.3
12.3(1e), 12.3(1f), 12.3(1i), 12.3(1l), 12.3(1o), 12.3(1p)
NON-IOS
NX-OS System Software-ACI
12.2
12.2(1n), 12.2(1o), 12.2(2e), 12.2(2f), 12.2(2i), 12.2(2j), 12.2(2k), 12.2(2q), 12.2(3j), 12.2(3p), 12.2(3r), 12.2(3s), 12.2(3t), 12.2(4f), 12.2(4p), 12.2(4q), 12.2(4r)
NON-IOS
NX-OS System Software-ACI
12.1
12.1(1h), 12.1(1i), 12.1(2e), 12.1(2g), 12.1(2k), 12.1(3g), 12.1(3h)
NON-IOS
NX-OS System Software-ACI
12.0
12.0(1m), 12.0(1n), 12.0(1o), 12.0(1p), 12.0(1q), 12.0(1r), 12.0(2f), 12.0(2g), 12.0(2h), 12.0(2l), 12.0(2m), 12.0(2n), 12.0(2o)
NON-IOS
NX-OS System Software-ACI
11.3
11.3(1g), 11.3(1h), 11.3(1i), 11.3(1j), 11.3(2f), 11.3(2h), 11.3(2i), 11.3(2j), 11.3(2k)
NON-IOS
NX-OS System Software-ACI
11.2
11.2(1i), 11.2(1k), 11.2(1m), 11.2(2g), 11.2(2h), 11.2(2i), 11.2(2j), 11.2(3c), 11.2(3e), 11.2(3h), 11.2(3m)
NON-IOS
NX-OS System Software-ACI
11.1
11.1(1j), 11.1(1o), 11.1(1r), 11.1(1s), 11.1(2h), 11.1(2i), 11.1(3f), 11.1(4e), 11.1(4f), 11.1(4g), 11.1(4i), 11.1(4l), 11.1(4m)
NON-IOS
NX-OS System Software-ACI
11.0
11.0(1b), 11.0(1c), 11.0(1d), 11.0(1e), 11.0(2j), 11.0(2m), 11.0(3f), 11.0(3i), 11.0(3k), 11.0(3n), 11.0(3o), 11.0(4h), 11.0(4o), 11.0(4q)
NON-IOS
NX-OS System Software-ACI
15.2
15.2(1g), 15.2(2e), 15.2(2f)
NON-IOS
NX-OS System Software-ACI
15.1
15.1(1h), 15.1(2e), 15.1(3e), 15.1(4c)
NON-IOS
NX-OS System Software-ACI
15.0
15.0(1k), 15.0(1l), 15.0(2e), 15.0(2h)
NON-IOS
NX-OS System Software-ACI
14.1
14.1(1i), 14.1(1j), 14.1(1k), 14.1(1l), 14.1(2g), 14.1(2m), 14.1(2o), 14.1(2s), 14.1(2u), 14.1(2w), 14.1(2x)

Defect Information

Defect ID Headline
CSCvz65560 add/update contract with TCP port 22 cause switch rule disable if APIC is 5.x but switch is 14.x

Problem Description

In a mixed version fabric in which the Cisco Application Policy Infrastructure Controller (APIC) runs a 5.x release and the switches run a 14.x or earlier release, the behavior detailed in the Problem Symptom section can be encountered at the addition/update/association of a contract with a TCP filter that has a port range value of "22" (that is, the port value for SSH).

Background

We have identified a software issue with your selected release which can affect the use of this software. Review this field notice in order to determine if the issue applies to your environment. You can proceed to download this software if you have no concerns with the issue.

For more comprehensive information about what is included in this software, refer to Cisco Application Policy Infrastructure Controller (APIC).

Problem Symptom

In a mixed version fabric in which the Cisco APIC runs a 5.x release and the switches run a 14.x or earlier release, incorrect behavior can be encountered at the addition/update/association of a contract with a TCP filter that has a port range value of "22" (that is, the port value for SSH). The incorrect behaviors are:

  • If the TCP port filter is defined as a range of x-22, where x is between 1 and 21, then this mixed mode causes the switch's security policy (zoning rule) to become disabled. This causes network disruption.

  • If the TCP port range is 22-22 (that is, exactly matches port 22), then this mixed mode causes the switch's security policy (zoning rule) to be incorrectly programmed to allow all TCP traffic instead of permitting SSH only.

An upgrade to the Cisco APIC to a 5.x release without making the contract configuration changes does not trigger these problems.

 

Conditions

This issue is triggered when these conditions are met:

  • The Cisco APIC runs a 5.x release while the switches run a 14.x or earlier release.

  • The Cisco APIC runs a 5.x release other than 5.0(1k) or 5.0(1l) while the switches run the 15.0(1k) or 15.0(1l) release.

  • The contract contains at least one TCP filter with source To Port (sToPort) ="ssh" or destination To Port (dToPort) ="ssh".

  • You perform an add/update/association with the contract, or you clean reboot the switches that deployed the contract.

Workaround/Solution

Avoid the use of port 22 in the contract's TCP port range. For example, if the TCP port range is 20-22, change it to 20-23.

Alternatively, freeze the Cisco APIC contract configuration changes (add/update/association) until all switches are upgraded to a 15.x release. Do not clean reboot any switches that have the previously mentioned contract deployed.

For More Information

If you require further assistance, or if you have any further questions regarding this field notice, please contact the Cisco Systems Technical Assistance Center (TAC) by one of the following methods:

Receive Email Notification For New Field Notices

My Notifications—Set up a profile to receive email updates about reliability, safety, network security, and end-of-sale issues for the Cisco products you specify.

Was this Document Helpful?

FeedbackFeedback

Contact Cisco

This Document Applies to These Products