SecureStack/G/D-Series f/w x.01.06.0007 Policy Consumes the First Packet

  • 0
  • 1
  • Article
  • Updated 5 years ago
Article ID: 10734 

SecureStack C3, firmware and lower
SecureStack C2, firmware and lower
SecureStack B3, firmware and lower
SecureStack B2, firmware and lower
G-Series, firmware and lower
D-Series, firmware and lower 

Configured Policy on a port. 

The first (possibly ARP) packet ingressing the switch port is lost, not being forwarded for switching or routing.
The remainder of ingressed traffic is treated as configured per the policy. 

The first ingressed packet attempting to pass through the policy is consumed by the CPU. 

For the C3, upgrade to firmware or higher.
For the C2, upgrade to firmware or higher.
For the B3, upgrade to firmware or higher.
For the B2, upgrade to firmware or higher.
For the G-Series, upgrade to firmware or higher.
For the D-Series, upgrade to firmware or higher. 

Release notes state, in the 'Firmware Changes and Enhancements' section:
10274 & 10183   Corrected an issue where the first packet through the switch is dropped with policy applied, subsequent packet transmissions are successful. 

Pre-upgrade workaround:
This symptom will recur each time the relevant Source Address Table (SAT) entry times out, as it is being relearned. One possible workaround is to increase the MAC Agetime ('set mac agetime...', 'show mac agetime') from its default of 300 seconds to a larger value - as high as one million seconds (about 11.5 days). Be aware that, depending upon a number of other factors - including but not restricted to node density, user mobility, and static LAG failover - doing so may have unintended side-effects.
Photo of FAQ User

FAQ User, Official Rep

  • 13,620 Points 10k badge 2x thumb

Posted 5 years ago

  • 0
  • 1

There are no replies.

This conversation is no longer open for comments or replies.