ASA code 9.7

Dieselboy · March 02, 2017, 01:04:56 AM

TAC got back to me today. They advise that 9.7.1 will crash when traffic is routed across the VTI tunnel.

The issue is fixed in 9.7.1.2 which is not yet released.

Here's the email chain

Quote from: TACH Tony,

The issue seems to be matching an internal bug which should to be fixed in 9.7.1.2.

The issue seems to trigger during route-look up followed by tmatch_domain_lookup due to invalid meta L3 type changed while processing the traffic from cp to dp.

Quote from: DieselboyHi [name deleted],
Thanks for the update. Is this issue affecting only VTI? IS there any immediate workaround?

I only updated to this release to utilise the long-anticipated VTI tunnel on the ASA, does this feature work in 9.7.1 at all? I gather from your email that VTI although present and available to configure, it's not actually functional. I'm trying to discover whether this issue is related to my configuration in whole on the ASA or due to the code itself.

Many thanks,
tony

Quote from: TACHi Tony,

Yes this issue occurs when the traffic goes through VTI tunnel on ASA. There is no work-around as of now. Upgrading to 9.7.1-2 should have the fix for the issue.

Dieselboy · March 02, 2017, 01:53:22 AM

PS, ASA code asa971-2 came out on 28/02/17 and it's located under the "interim" section.

Otanx · March 02, 2017, 09:33:58 AM

Hey, you know that really nice new feature people have been asking for for 10 years? We added it! P.S. Don't use it, you will crash the system.

-Otanx

deanwebb · March 02, 2017, 11:56:01 AM

CISCO: We got VTI! It's great, it works!

Customers:

NetworkGroover · March 02, 2017, 04:23:09 PM

Eesh.

Dieselboy · March 02, 2017, 07:31:01 PM

IKR! There used to be a time where network engineers had peace of mind, they would configure something and it worked (99%) of the time.

Now, I'm finding that most of the time if you configure something, it's not going to work.

Basically, cannot live without support contracts.

wintermute000 · March 02, 2017, 07:36:38 PM

got the bug ID for laughs?

Dieselboy · March 02, 2017, 08:42:49 PM

No, still waiting on it! As soon as they provide it I'll post it here. It's an internal only bug, TAC says. I hate it when they do that! I checked the release notes and didnt see any issues hence I began planning to use that code. Then BAM! Total outage.

wintermute000 · March 03, 2017, 05:28:16 AM

always a risk to go bleeding edge unless its to squash a critical vulnerability!

terrible luck on your part though, I mean WTF a critical bug on the headline new addition.

deanwebb · March 03, 2017, 08:45:06 AM

Had that happen to me with my NAC product... brand new features, lovely stuff, and then changing a setting in one place puts a default "deny all" condition on our corporate wireless...

Dieselboy · March 07, 2017, 01:35:00 AM

Bug ID: CSCvc35378

Apparently they are working on making it externally visible.

DanC · March 07, 2017, 03:14:24 AM

Quote from: Dieselboy on March 02, 2017, 01:04:56 AM
TAC got back to me today. They advise that 9.7.1 will crash when traffic is routed across the VTI tunnel.

The issue is fixed in 9.7.1.2 which is not yet released.

Here's the email chain

Quote from: TACH Tony,

The issue seems to be matching an internal bug which should to be fixed in 9.7.1.2.

The issue seems to trigger during route-look up followed by tmatch_domain_lookup due to invalid meta L3 type changed while processing the traffic from cp to dp.

Quote from: DieselboyHi [name deleted],
Thanks for the update. Is this issue affecting only VTI? IS there any immediate workaround?

I only updated to this release to utilise the long-anticipated VTI tunnel on the ASA, does this feature work in 9.7.1 at all? I gather from your email that VTI although present and available to configure, it's not actually functional. I'm trying to discover whether this issue is related to my configuration in whole on the ASA or due to the code itself.

Many thanks,
tony

Quote from: TACHi Tony,

Yes this issue occurs when the traffic goes through VTI tunnel on ASA. There is no work-around as of now. Upgrading to 9.7.1-2 should have the fix for the issue.

That sucks! I labbed it out on ASAv a couple of days after the code was released and it seemed to work okay in basic form with BGP and a spoke CSR1000v. Glad I didn't take it much further!

DanC · March 07, 2017, 03:18:46 AM

Quote from: Dieselboy on March 07, 2017, 01:35:00 AM
Bug ID: CSCvc35378

Apparently they are working on making it externally visible.

Can't see it externally yet

Looks like the IRB doesn't work properly either:

https://supportforums.cisco.com/discussion/13221411/vpn-handle-error-new-asa-971-integrated-routing-and-bridging-feature

Dieselboy · March 07, 2017, 09:11:39 PM

IRB doesnt even work??? What an effing joke!

Who understands Law here? The reason I ask is that if I sold someone a car and knew that said car had no brakes but I still sold the car and allowed the unsuspecting buyer to drive away in it, then had an accident due to the fault; this is negligence on my part. Why are Cisco releasing software that they know does not work? And not just that, they are releasing software specifically for a new feature "hey come use our new feature!" but they know it doesnt work, they have an internal bug ID for the purpose of eventually fixing the issue in a later software release. All the while customers are using this software in their designs and running into problems.
Hope everyone logs tac cases so when they reveiw their stats, they can all have a bored meeting and say "ah-ha! If only we had done this properly the first time!"
Yes, bored meeting.

deanwebb · March 08, 2017, 01:03:53 PM

Check the EULA... what if you bought a product in perpetual beta?

Yeah, I thought you'd react that way. Lots of interesting things are in those EULAs.