topic SecureStack/G/D-Series f/w x.01.06.0007 Policy Consumes the First Packet in FAQs https://community.extremenetworks.com/t5/faqs/securestack-g-d-series-f-w-x-01-06-0007-policy-consumes-the/m-p/41009#M25 Article ID: 10734 <BR /> <BR /> <B>Products</B><BR /> SecureStack C3, firmware 1.01.06.0007 and lower<BR /> SecureStack C2, firmware 5.01.06.0007 and lower<BR /> SecureStack B3, firmware 1.01.06.0007 and lower<BR /> SecureStack B2, firmware 4.01.06.0007 and lower<BR /> G-Series, firmware 1.00.03.0002 and lower<BR /> D-Series, firmware 1.00.04.0001 and lower <BR /> <BR /> <B>Changes</B><BR /> Configured Policy on a port. <BR /> <BR /> <B>Symptoms</B><BR /> The first (possibly ARP) packet ingressing the switch port is lost, not being forwarded for switching or routing.<BR /> The remainder of ingressed traffic is treated as configured per the policy. <BR /> <BR /> <B>Cause</B><BR /> The first ingressed packet attempting to pass through the policy is consumed by the CPU. <BR /> <BR /> <B>Solution/Workaround</B><BR /> For the C3, upgrade to firmware 1.02.01.0004 or higher.<BR /> For the C2, upgrade to firmware 5.02.01.0006 or higher.<BR /> For the B3, upgrade to firmware 1.02.01.0004 or higher.<BR /> For the B2, upgrade to firmware 4.02.01.0006 or higher.<BR /> For the G-Series, upgrade to firmware 1.02.00.0043 or higher.<BR /> For the D-Series, upgrade to firmware 6.03.01.0008 or higher. <BR /> <BR /> Release notes state, in the '<DIV class="threadCode"><B>code:</B><PRE spellcheck="false">Firmware Changes and Enhancements</PRE></DIV>' section:<BR /> <DIV class="threadCode"><B>code:</B><PRE spellcheck="false">10274</PRE></DIV> &amp; <DIV class="threadCode"><B>code:</B><PRE spellcheck="false">10183</PRE></DIV> <DIV class="threadCode"><B>code:</B><PRE spellcheck="false">Corrected an issue where the first packet through the switch is dropped with policy applied, subsequent packet transmissions are successful.</PRE></DIV> <BR /> <BR /> Pre-upgrade workaround:<BR /> This symptom will recur each time the relevant Source Address Table (SAT) entry times out, as it is being relearned. One possible workaround is to increase the MAC Agetime ('<DIV class="threadCode"><B>code:</B><PRE spellcheck="false">set mac agetime...</PRE></DIV>', '<DIV class="threadCode"><B>code:</B><PRE spellcheck="false">show mac agetime</PRE></DIV>') from its default of 300 seconds to a larger value - as high as one million seconds (about 11.5 days). Be aware that, depending upon a number of other factors - including but not restricted to node density, user mobility, and static LAG failover - doing so may have unintended side-effects. Sat, 28 Dec 2013 02:50:00 GMT FAQ_User 2013-12-28T02:50:00Z SecureStack/G/D-Series f/w x.01.06.0007 Policy Consumes the First Packet https://community.extremenetworks.com/t5/faqs/securestack-g-d-series-f-w-x-01-06-0007-policy-consumes-the/m-p/41009#M25 Article ID: 10734 <BR /> <BR /> <B>Products</B><BR /> SecureStack C3, firmware 1.01.06.0007 and lower<BR /> SecureStack C2, firmware 5.01.06.0007 and lower<BR /> SecureStack B3, firmware 1.01.06.0007 and lower<BR /> SecureStack B2, firmware 4.01.06.0007 and lower<BR /> G-Series, firmware 1.00.03.0002 and lower<BR /> D-Series, firmware 1.00.04.0001 and lower <BR /> <BR /> <B>Changes</B><BR /> Configured Policy on a port. <BR /> <BR /> <B>Symptoms</B><BR /> The first (possibly ARP) packet ingressing the switch port is lost, not being forwarded for switching or routing.<BR /> The remainder of ingressed traffic is treated as configured per the policy. <BR /> <BR /> <B>Cause</B><BR /> The first ingressed packet attempting to pass through the policy is consumed by the CPU. <BR /> <BR /> <B>Solution/Workaround</B><BR /> For the C3, upgrade to firmware 1.02.01.0004 or higher.<BR /> For the C2, upgrade to firmware 5.02.01.0006 or higher.<BR /> For the B3, upgrade to firmware 1.02.01.0004 or higher.<BR /> For the B2, upgrade to firmware 4.02.01.0006 or higher.<BR /> For the G-Series, upgrade to firmware 1.02.00.0043 or higher.<BR /> For the D-Series, upgrade to firmware 6.03.01.0008 or higher. <BR /> <BR /> Release notes state, in the '<DIV class="threadCode"><B>code:</B><PRE spellcheck="false">Firmware Changes and Enhancements</PRE></DIV>' section:<BR /> <DIV class="threadCode"><B>code:</B><PRE spellcheck="false">10274</PRE></DIV> &amp; <DIV class="threadCode"><B>code:</B><PRE spellcheck="false">10183</PRE></DIV> <DIV class="threadCode"><B>code:</B><PRE spellcheck="false">Corrected an issue where the first packet through the switch is dropped with policy applied, subsequent packet transmissions are successful.</PRE></DIV> <BR /> <BR /> Pre-upgrade workaround:<BR /> This symptom will recur each time the relevant Source Address Table (SAT) entry times out, as it is being relearned. One possible workaround is to increase the MAC Agetime ('<DIV class="threadCode"><B>code:</B><PRE spellcheck="false">set mac agetime...</PRE></DIV>', '<DIV class="threadCode"><B>code:</B><PRE spellcheck="false">show mac agetime</PRE></DIV>') from its default of 300 seconds to a larger value - as high as one million seconds (about 11.5 days). Be aware that, depending upon a number of other factors - including but not restricted to node density, user mobility, and static LAG failover - doing so may have unintended side-effects. Sat, 28 Dec 2013 02:50:00 GMT https://community.extremenetworks.com/t5/faqs/securestack-g-d-series-f-w-x-01-06-0007-policy-consumes-the/m-p/41009#M25 FAQ_User 2013-12-28T02:50:00Z