Symptom
C9300 G1/0/1-----------G0/0/0 ISR4451
I set it as below to allow ICMP packets from ISR to pass through, but the permit entry is not working.
ISR4451#sh run in g0/0/0
Building configuration...
interface GigabitEthernet0/0/0
ip address 10.xx.xx.125 255.255.255.192
negotiation auto
end
C9300
interface Vlan910
ip address 10.xx.xx.126 255.255.255.192
no ip unreachables
no ip proxy-arp
ip access-group ACL-vlan910 in
ip access-list extended ACL-vlan910
10 permit object-group ICMP object-group Test01 object-group Test02
9999 deny ip any any log
interface GigabitEthernet1/0/1
switchport access vlan 910
switchport mode access
object-group service ICMP
icmp
object-group network Test01
host 10.xx.xx.125
object-group network Test02
host 10.xx.xx.126
*Dec 28 22:27:11.397: %SEC-6-IPACCESSLOGDP: list ACL-vlan910 denied icmp 10.xx.xx.125 -> 10.xx.xx.126 (8/0), 8 packets
Conditions
Set the G-ACL on C9300 16.12.4.
Workaround
permit icmp host 10.xx.xx.125 host 10.xx.xx.126
Communication is possible by defining ACE as described above.
