User guide
Open Problem Reports and Feature Exceptions
OmniSwitch 6600/7000/8800—Release 5.1.6.R02 page 83
PR 65449
Reflexive policies, on an OS7000 series switch, do not work properly if the drop rule that denies the
"reverse" traffic coming from the outside is created first, or has a higher precedence. With qos default
routed disposition drop, it works fine.
Example
Inside Network 10.0.0.0 -- SWITCH -- Outside Network 192.0.0.0
policy condition cOut source ip 192.0.0.0
policy action deny disposition deny
policy rule rOut condition cOut action deny
policy condition cIn ip 192.0.0.0
policy action accept disposition accept
policy rule rIn reflexive condition cIn action accept
qos apply
This will not work because the "drop" rule is created first (with the same precedence, the first rule is taken
first).
Workaround: Make sure the "reflexive" rules ALWAYS have a higher precedence than ANY "drop"
rules that can deny "reflexive" traffic.
policy rule rIn precedence 1
qos apply
PR 66077
Sometimes, it can take a reflexive flow of 3 seconds before being accepted on an OS7000 series switch.
This is due to the TCP timeout configured on PC/sun IP stack (standard value). The first "open request"
hits the switch, but the response of this request cannot be dropped before the reflexive policy is applied.
Then, the PC retries 3 seconds later.
Workaround: There is no known workaround at this time.
PR 66914
Drop and deny are synonymous key words for QoS ACL disposition on an OS6624/6648 switch.
Workaround: There is no known workaround at this time.
PR 67871
The show active policy rule command does not display rule matches for a given flow once that flow is
learned and handled on an OS6624/6648 switch.
Workaround: There is no known workaround at this time.