Wireless Access

Here's an odd thing we've seen a couple of times...  When creating a new role the ACLs sometimes don't work properly. Only seen this on our lab environment, which is a clustered pair of 7005 controllers runing 8.5, with a virtual mobility master.

First time this happened the implicit deny at the end of the ACLs just didn't work. More recently my colleague was testing config for a new role and some of the rules didn't work. After spending a long time trying to figure out what was wrong, removed all the ACLs, re-added them and it all works.

I can't recreate this reliably, so there's no point raising a TAC call about it, but thought I'd put it out there in case anyone else has seen similar weirdness.

You should double-check that the ACLs have been applied properly by using the "show rights" command against the role on the MD and "show acl hits".  Beyond that, there is not enough information in your post to determine what is wrong.

one possible thing you may be hitting here is that existing flows in the session table (show datapath session) do not get reclassified against changes/additions to the acls. 

For example, if I have an acl that says

user any svc-ftp permit
user any any deny

Then say I open a ftp session on the client to some server, and while I am using the FTP session I removed the ACL for svc-ftp, the session would still continue without being denied.

Maybe you encountered a variant of this ?

That's a distinct possibility. Will definitely look out for this next time.

Thanks.