cancel
Showing results for 
Search instead for 
Did you mean: 

Too many ACL's & packet rate is too high issue

Too many ACL's & packet rate is too high issue

GONÇALO_NUNO_CO
New Contributor III
Hi, When i configure the switch to download Xos image to upgrade its verson im getting too many "Too many ACL's & packet rate is too high" messages in the switch logs.

02/24/2017 11:34:27.76 Slot-1: Denied packet on ingress interface vlanIf=1000010 slot=1 port=49, too many ACL's & packet rate is too high.

This messages refer to the trunk where i dont have any access-list applied. Ive run the "sh access-list port 1:49" and got this:

#Dynamic Entries ((*)- Rule is non-permanent )
RuleNo Name Application Zone Sub-Zone
(*)1 idmgmt_ks_tcp_dst IdentityManager SYSTEM 0
(*)2 idmgmt_ks_udp_dst IdentityManager SYSTEM 0
(*)3 idmgmt_ks_tcp_src IdentityManager SYSTEM 0
(*)4 idmgmt_ks_udp_src IdentityManager SYSTEM 0

apart form not having any acl applied to the port 49 i dont have neither the identity management configured on port 49.

Can someone guide me to where should i look for the cause of that log message?

Thanks
5 REPLIES 5

Tripathy__Priya
Extreme Employee
Thanks for your kind words and appreciation for my correct assumption. Yes you are right it seems these log messages are related to the past activity. If you see the error logs can find default filter events kern.warning is displayed there:

02/24/2017 11:34:27.76

This could be because in the past for log debug-mode this was added to track the event log that time. If so then please check them for their existence if at all they are still enabled or so.

Use the below command to check for the same:

# show log configuration filter

Log Filter Name: DefaultFilter
I/ Severity
E Component SubComponent Condition CEWNISVD
- ----------- ------------ ----------------------- --------
I Kern Warning --W-----
I All ********

Just like above if t his seems to be present then later you can delete this specific log filter events pointing to kern component if any:

Use the below command to do so:

# enable log debug-mode

WARNING: Debug mode should only be enabled when advised by technical support,
or when advanced diagnosis is required. Performance degradation is possible.
Debug mode now enabled.

# configure log filter "DefaultFilter" delete events "kern.warning"

Then execute the below to check if these log events are all deleted or so:

# sh log configuration filter

Log Filter Name: DefaultFilter
I/ Severity
E Component SubComponent Condition CEWNISVD
- ----------- ------------ ----------------------- --------
I All ********

Finally please do not forget to disable the log debug-mode before getting out of the switch cli:

# disable log debug-mode

Do let us know after following these steps if you still see the reported error log messages?

GONÇALO_NUNO_CO
New Contributor III
Your assumption is correct and i have to give you credit for that, what i dont understand is the meaning of those messages.

At the moment i dont have any policy configured and if i upload a new image to the switch those messages wil appear again during the upload proccess. what do they mean? If they relate to someting i had previously configured they are kind of missleading.

Tripathy__Priya
Extreme Employee
This means my assumption was correct. This shows in the recent past you had already applied ACL on this specific port and later removed them seems. So what i wanted to say earlier as below:

For example assume you prepared one policy file and executed them. Say this policy file contains more than 1 entries as below:

entry one {

if match all {

ethernet-destination-address 33:33:00:00:00:00 mask ff:ff:00:00:00:00

} then {

count ip-in;
}
}


configure access-list ip-traffic any

then say you updated the ip-traffic.pol to include one more entry

entry two {

if match all {

ethernet-destination-address 01:80:c2:00:00:00;

} then {

count st-in;

}

}

Then you must have refreshed the policy as:

refresh policy ip-traffic

Then at last when you try to unconfigure the access-list:

unconfigure access-list ip-traffic

Then while executing the show log it takes a long time and later there are chances the log files to be filled with messages such as:

02/24/2017 11:34:27.76 Slot-1: Denied packet on ingress interface vlanIf=1000010 slot=1 port=49, too many ACL's & packet rate is too high.

So in a nut shell if i put them here again in one statement then:

These log messages could be resulted if the "refresh policy" command is invoked by adding few more entries in the policy file, then after unconfiguring that specific ACL, EXOS switch will start logging messages like "Denied packet on ingess interface vlanIf=1000223 slot=1 port=1, too many ACL's & packet rate is too high".

Hope this time it is much clear to you after showing you above by an example the possible cause of these log message generation.

GONÇALO_NUNO_CO
New Contributor III
Hi and thank you for your reply, to be honest im not sure if i understood your explanation and i am still bit confused.

It is true that in recent past i had a policy applied on inteface 49, but not anymore, according to the log packets are being denied on ingress interface, and this is where i get confused, since at the moment i dont have any policy or ACL applied on the interface 49, what is what is denying the ingress traffic?

Should i do a refresh policy upon removing a policy from an interface so that those log messages dont appear anymore?

GTM-P2G8KFN