SecureStack/G/D-Series f/w x.01.06.0007 Policy Consumes the First Packet

  • 0
  • 1
  • Article
  • Updated 4 years ago
Article ID: 10734 

Products
SecureStack C3, firmware 1.01.06.0007 and lower
SecureStack C2, firmware 5.01.06.0007 and lower
SecureStack B3, firmware 1.01.06.0007 and lower
SecureStack B2, firmware 4.01.06.0007 and lower
G-Series, firmware 1.00.03.0002 and lower
D-Series, firmware 1.00.04.0001 and lower 

Changes
Configured Policy on a port. 

Symptoms
The first (possibly ARP) packet ingressing the switch port is lost, not being forwarded for switching or routing.
The remainder of ingressed traffic is treated as configured per the policy. 

Cause
The first ingressed packet attempting to pass through the policy is consumed by the CPU. 

Solution/Workaround
For the C3, upgrade to firmware 1.02.01.0004 or higher.
For the C2, upgrade to firmware 5.02.01.0006 or higher.
For the B3, upgrade to firmware 1.02.01.0004 or higher.
For the B2, upgrade to firmware 4.02.01.0006 or higher.
For the G-Series, upgrade to firmware 1.02.00.0043 or higher.
For the D-Series, upgrade to firmware 6.03.01.0008 or higher. 

Release notes state, in the 'Firmware Changes and Enhancements' section:
10274 & 10183   Corrected an issue where the first packet through the switch is dropped with policy applied, subsequent packet transmissions are successful. 

Pre-upgrade workaround:
This symptom will recur each time the relevant Source Address Table (SAT) entry times out, as it is being relearned. One possible workaround is to increase the MAC Agetime ('set mac agetime...', 'show mac agetime') from its default of 300 seconds to a larger value - as high as one million seconds (about 11.5 days). Be aware that, depending upon a number of other factors - including but not restricted to node density, user mobility, and static LAG failover - doing so may have unintended side-effects.
Photo of FAQ User

FAQ User, Official Rep

  • 13,610 Points 10k badge 2x thumb

Posted 4 years ago

  • 0
  • 1

There are no replies.

This conversation is no longer open for comments or replies.