Meraki

Community

Cannot edit ACLs on MS250

SchoolTechFW
Conversationalist
‎Sep 18 2019 1:06 PM
‎Sep 18 2019 1:06 PM

Cannot edit ACLs on MS250

I am unable to add or edit any ACLs on our MS250 switch.  Upon saving any changes, including just adding a comment, I receive a long stream of errors like these:

   Must be 'both', 'ipv4', or ipv6''
   For ACL rules applied to both IPv4 and IPv6, Destination address must be 'any'

   Must be 'both', 'ipv4', or ipv6''
   For ACL rules applied to both IPv4 and IPv6, Destination address must be 'any'
   Must be 'both', 'ipv4', or ipv6''
   For ACL rules applied to both IPv4 and IPv6, Source address must be 'any'
   Must be 'both', 'ipv4', or ipv6''
   For ACL rules applied to both IPv4 and IPv6, Source address must be 'any'
   Must be 'both', 'ipv4', or ipv6''
   For ACL rules applied to both IPv4 and IPv6, Destination address must be 'any'

 

Per Meraki support, they think it is a bug because of a similar case they have open and have referred my case on to developers.

 

So I need to get some ACLs set up for a new subnet and I have been stuck for a week now waiting for Meraki  to figure out what is wrong.  Has anyone else run into this?  Any advice?

0 Kudos
15 Replies 15
BrechtSchamp
Kind of a big deal
‎Sep 18 2019 3:00 PM
‎Sep 18 2019 3:00 PM

That does indeed sound like a bug. Are you using any rules with "IPv6" or "both"?

0 Kudos
In response to BrechtSchamp
cmr
Kind of a big deal
Kind of a big deal
‎Sep 18 2019 3:55 PM
‎Sep 18 2019 3:55 PM

What code are you running, if a bug the support can up/downgrade you to a working version, even if it isn't on the web UI

If my answer solves your problem please click Accept as Solution so others can benefit from it.
0 Kudos
In response to cmr
SchoolTechFW
Conversationalist
‎Sep 19 2019 5:30 AM
‎Sep 19 2019 5:30 AM

That's a good suggestion.   We are running MS 11.17 firmware.  Looks like 11.22 is available on the Stable Channel.  

0 Kudos
In response to BrechtSchamp
SchoolTechFW
Conversationalist
‎Sep 19 2019 5:28 AM
‎Sep 19 2019 5:28 AM

Nope.   All rules are IPv4.

0 Kudos
PhilipDAth
Kind of a big deal
Kind of a big deal
‎Sep 18 2019 5:32 PM
‎Sep 18 2019 5:32 PM

Have you definately got a layer 3 VLAN configured?

 

Could you post a screenshot of the ACL when the error happens?

0 Kudos
In response to PhilipDAth
SchoolTechFW
Conversationalist
‎Sep 19 2019 5:44 AM
‎Sep 19 2019 5:44 AM

The MS250 is configured to route traffic between VLANs, and has been doing so for over a year and a half.   The current ACLs have been working.  I did just recently add a new VLAN which is the one I want to add ACLs for.   But, I cannot even add a comment to an existing ACL without the errors.

 

I just added the comment to the following rule and receive the errors upon trying to save the change.

 

screenshot.jpg

0 Kudos
In response to SchoolTechFW
BrechtSchamp
Kind of a big deal
‎Sep 19 2019 6:23 AM
‎Sep 19 2019 6:23 AM

Apart from trying a fw update I'm at a loss. It really seems like a bug. Nag helpdesk daily, this really should just work.

0 Kudos
In response to BrechtSchamp
cmr
Kind of a big deal
Kind of a big deal
‎Sep 19 2019 7:08 AM
‎Sep 19 2019 7:08 AM

@SchoolTechFW we have been running 11.22 on 225s and 210s for a while with no issues, but we don't do L3 so I can't comment on the stability of that layer.

If my answer solves your problem please click Accept as Solution so others can benefit from it.
In response to SchoolTechFW
PhilipDAth
Kind of a big deal
Kind of a big deal
‎Sep 19 2019 2:03 PM
‎Sep 19 2019 2:03 PM

There is nothing wrong with what you are doing.  Time for a Meraki support ticket.

0 Kudos
SchoolTechFW
Conversationalist
‎Sep 19 2019 2:12 PM
‎Sep 19 2019 2:12 PM

Thank you for all the inputs! 

0 Kudos
SchoolTechFW
Conversationalist
‎Sep 25 2019 6:00 AM
‎Sep 25 2019 6:00 AM

So it's been 2 week now since Meraki decided my ACL issue was a bug and forwarded it onto developers, which seems to be a black hole of some sort where things go in, but nothing (like information, or status reports) ever comes out.  The support staff seems unable to get a status or any info at all on this.

 

The only workaround Meraki support can suggest is deleting all ACLs and trying to add them back.   I am not going  to do that since it could leave me much worse off if I am unable to add the current ACLs back.  So I am still stuck with our core switch missing key functionality - unable to add or edit ACLs.  Wondering if I should explore a switch from another vendor and if I can find a more reliable one.  

0 Kudos
In response to SchoolTechFW
cmr
Kind of a big deal
Kind of a big deal
‎Sep 25 2019 11:16 AM
‎Sep 25 2019 11:16 AM

Did you upgrade to 11.22?  If so perhaps worth trying 11.25, just in case it fixes it (you can always roll back).

If my answer solves your problem please click Accept as Solution so others can benefit from it.
0 Kudos
In response to cmr
SchoolTechFW
Conversationalist
‎Sep 26 2019 5:30 AM
‎Sep 26 2019 5:30 AM

I have not upgraded.  It might help, although I didn't see anything in the release notes that mentioned my issue.  This is our central routing/gateway switch so if I botch it, it will be a major problem.  

0 Kudos
In response to SchoolTechFW
PhilipDAth
Kind of a big deal
Kind of a big deal
‎Sep 25 2019 1:36 PM
‎Sep 25 2019 1:36 PM

I've had a think about this.  If it was me I would clone the network, and then in the cloned copy try some experiments to see what resolves it.

 

You could also try cloning the network, get it working correctly, and then just move the kit to the new network.  If all goes well, delete the original network.  If it doesn't go well, move the kit back (aka a rollback plan).

In response to PhilipDAth
SchoolTechFW
Conversationalist
‎Sep 26 2019 5:32 AM
‎Sep 26 2019 5:32 AM

Cloning the network is a thought!   Maybe I could do that safely, without endangering all that is actually working now.

 

Thank you for the idea!

0 Kudos
Get notified when there are additional replies to this discussion.
Welcome to the Meraki Community!
To start contributing, simply sign in with your Cisco account. If you don't yet have a Cisco account, you can sign up.
Labels
© 2024 Cisco Systems, Inc.