Last Modified: Sep 13, 2023
Known Affected Versions:
12.1.2, 12.1.3, 22.214.171.124, 126.96.36.199, 188.8.131.52, 184.108.40.206, 220.127.116.11, 18.104.22.168, 22.214.171.124, 12.1.4
Opened: Dec 18, 2017 Severity: 3-Major
With ACL policy configured to allow a restricted set of traffic (say TCP packets) but disallowing ICMP, the client ICMP messages are being rightfully dropped. But the drops with ACL logging enabled, shows up wrong values. The values sometimes show up as TCP packet being dropped, instead of ICMP.
Functionally, the ACL dropping behavior is correct. But with logging fields being displayed wrong, it appears as if a packet which was not supposed to be dropped is being wrongly rejected. No functional impact, the problem is only with logging information being wrong.
ICMP packet is configured to be dropped through ACL Rule policy, with logging enable on ACL Rule, the logs generated has wrong values. Sometimes, the field values for ICMP are totally wrong, and it could show up as a TCP connection being dropped (especially, when the most recent request was a TCP connection).