Cannot edit ACLs on MS250

SchoolTechFW
Conversationalist

Cannot edit ACLs on MS250

I am unable to add or edit any ACLs on our MS250 switch.  Upon saving any changes, including just adding a comment, I receive a long stream of errors like these:

   Must be 'both', 'ipv4', or ipv6''
   For ACL rules applied to both IPv4 and IPv6, Destination address must be 'any'

   Must be 'both', 'ipv4', or ipv6''
   For ACL rules applied to both IPv4 and IPv6, Destination address must be 'any'
   Must be 'both', 'ipv4', or ipv6''
   For ACL rules applied to both IPv4 and IPv6, Source address must be 'any'
   Must be 'both', 'ipv4', or ipv6''
   For ACL rules applied to both IPv4 and IPv6, Source address must be 'any'
   Must be 'both', 'ipv4', or ipv6''
   For ACL rules applied to both IPv4 and IPv6, Destination address must be 'any'

 

Per Meraki support, they think it is a bug because of a similar case they have open and have referred my case on to developers.

 

So I need to get some ACLs set up for a new subnet and I have been stuck for a week now waiting for Meraki  to figure out what is wrong.  Has anyone else run into this?  Any advice?

15 Replies 15
BrechtSchamp
Kind of a big deal

That does indeed sound like a bug. Are you using any rules with "IPv6" or "both"?

cmr
Kind of a big deal
Kind of a big deal

What code are you running, if a bug the support can up/downgrade you to a working version, even if it isn't on the web UI

If my answer solves your problem please click Accept as Solution so others can benefit from it.
SchoolTechFW
Conversationalist

That's a good suggestion.   We are running MS 11.17 firmware.  Looks like 11.22 is available on the Stable Channel.  

SchoolTechFW
Conversationalist

Nope.   All rules are IPv4.

PhilipDAth
Kind of a big deal
Kind of a big deal

Have you definately got a layer 3 VLAN configured?

 

Could you post a screenshot of the ACL when the error happens?

SchoolTechFW
Conversationalist

The MS250 is configured to route traffic between VLANs, and has been doing so for over a year and a half.   The current ACLs have been working.  I did just recently add a new VLAN which is the one I want to add ACLs for.   But, I cannot even add a comment to an existing ACL without the errors.

 

I just added the comment to the following rule and receive the errors upon trying to save the change.

 

screenshot.jpg

BrechtSchamp
Kind of a big deal

Apart from trying a fw update I'm at a loss. It really seems like a bug. Nag helpdesk daily, this really should just work.

cmr
Kind of a big deal
Kind of a big deal

@SchoolTechFW we have been running 11.22 on 225s and 210s for a while with no issues, but we don't do L3 so I can't comment on the stability of that layer.

If my answer solves your problem please click Accept as Solution so others can benefit from it.
PhilipDAth
Kind of a big deal
Kind of a big deal

There is nothing wrong with what you are doing.  Time for a Meraki support ticket.

SchoolTechFW
Conversationalist

Thank you for all the inputs! 

SchoolTechFW
Conversationalist

So it's been 2 week now since Meraki decided my ACL issue was a bug and forwarded it onto developers, which seems to be a black hole of some sort where things go in, but nothing (like information, or status reports) ever comes out.  The support staff seems unable to get a status or any info at all on this.

 

The only workaround Meraki support can suggest is deleting all ACLs and trying to add them back.   I am not going  to do that since it could leave me much worse off if I am unable to add the current ACLs back.  So I am still stuck with our core switch missing key functionality - unable to add or edit ACLs.  Wondering if I should explore a switch from another vendor and if I can find a more reliable one.  

cmr
Kind of a big deal
Kind of a big deal

Did you upgrade to 11.22?  If so perhaps worth trying 11.25, just in case it fixes it (you can always roll back).

If my answer solves your problem please click Accept as Solution so others can benefit from it.
SchoolTechFW
Conversationalist

I have not upgraded.  It might help, although I didn't see anything in the release notes that mentioned my issue.  This is our central routing/gateway switch so if I botch it, it will be a major problem.  

PhilipDAth
Kind of a big deal
Kind of a big deal

I've had a think about this.  If it was me I would clone the network, and then in the cloned copy try some experiments to see what resolves it.

 

You could also try cloning the network, get it working correctly, and then just move the kit to the new network.  If all goes well, delete the original network.  If it doesn't go well, move the kit back (aka a rollback plan).

SchoolTechFW
Conversationalist

Cloning the network is a thought!   Maybe I could do that safely, without endangering all that is actually working now.

 

Thank you for the idea!

Get notified when there are additional replies to this discussion.
Welcome to the Meraki Community!
To start contributing, simply sign in with your Cisco account. If you don't yet have a Cisco account, you can sign up.
Labels