Courseiva
ACLCCNA 200-301

Reflexive ACL Not Allowing Return Traffic for Established Sessions

Presenting Symptom

Internal hosts can initiate outbound TCP connections, but return traffic for established sessions is dropped, causing connections to time out.

Network Context

A small branch office with a Cisco 4321 router running IOS XE 16.9. The router connects the internal LAN (192.168.1.0/24) to the internet via a single WAN interface. Reflexive ACL is applied outbound on the inside interface to permit outbound traffic and dynamically allow return traffic. The problem occurs for all TCP sessions initiated from inside hosts.

Diagnostic Steps

1

Check the reflexive ACL configuration

show running-config | section ip access-list
ip access-list extended OUTBOUND_FILTER
 permit tcp 192.168.1.0 0.0.0.255 any reflect TCP_TRAFFIC
ip access-list extended INBOUND_FILTER
 evaluate TCP_TRAFFIC

Verify that the reflexive ACL is correctly defined with the 'reflect' keyword on the outbound ACL and the 'evaluate' statement on the inbound ACL. If missing, the reflexive ACL is not configured properly.

2

Verify ACL application on interfaces

show running-config interface GigabitEthernet0/0/0
ip access-group OUTBOUND_FILTER out
ip access-group INBOUND_FILTER in

Confirm the outbound ACL is applied outbound on the inside interface and the inbound ACL is applied inbound on the same interface. Misapplication (e.g., both applied in the same direction) will prevent reflexive entries from being created.

3

Check reflexive ACL entries dynamically created

show ip access-list INBOUND_FILTER
Extended IP access list INBOUND_FILTER
    10 evaluate TCP_TRAFFIC
Reflexive IP access list TCP_TRAFFIC
    permit tcp host 192.168.1.10 eq 12345 host 203.0.113.5 eq 80 (25 matches) (time left 298)

Look for dynamic reflexive entries. If no entries appear after initiating a connection, the reflexive ACL is not being triggered. Check that the outbound ACL permits the traffic and includes the 'reflect' keyword. Also verify that the 'evaluate' statement is present.

4

Inspect interface statistics for drops

show interface GigabitEthernet0/0/0
GigabitEthernet0/0/0 is up, line protocol is up
  ...
  Input queue: 0/75/0/0 (size/max/drops/flushes); Total output drops: 0
  ...
  5 minute input rate 1000 bits/sec, 2 packets/sec
  5 minute output rate 2000 bits/sec, 3 packets/sec
     0 packets input, 0 bytes, 0 no buffer
     Received 0 broadcasts (0 IP multicasts)
     0 runts, 0 giants, 0 throttles
     0 input errors, 0 CRC, 0 frame, 0 overrun, 0 ignored
     0 watchdog, 0 multicast, 0 pause input
     0 input packets with dribble condition detected
     0 packets output, 0 bytes, 0 underruns
     0 output errors, 0 collisions, 1 interface resets
     0 unknown protocol drops
     0 babbles, 0 late collision, 0 deferred
     0 lost carrier, 0 no carrier, 0 pause output
     0 output buffer failures, 0 output buffers swapped out

Check for any input or output drops. If drops are increasing, they may indicate ACL drops. However, reflexive ACL drops are not directly shown here; use 'show access-list' to see match counts. This step helps rule out other interface issues.

Root Cause

The reflexive ACL is not configured correctly: the outbound ACL is missing the 'reflect' keyword, or the inbound ACL lacks the 'evaluate' statement, or the ACLs are applied in the wrong direction. Without the 'reflect' keyword, the router does not create dynamic entries for return traffic. Without the 'evaluate' statement, the inbound ACL does not check those dynamic entries.

Resolution

1. Remove the existing ACLs from the interface: interface GigabitEthernet0/0/0 no ip access-group OUTBOUND_FILTER out no ip access-group INBOUND_FILTER in 2. Recreate the ACLs with correct syntax: ip access-list extended OUTBOUND_FILTER permit tcp 192.168.1.0 0.0.0.255 any reflect TCP_TRAFFIC ip access-list extended INBOUND_FILTER evaluate TCP_TRAFFIC 3. Apply the ACLs to the interface: interface GigabitEthernet0/0/0 ip access-group OUTBOUND_FILTER out ip access-group INBOUND_FILTER in

Verification

1. Initiate a TCP connection from an internal host (e.g., telnet to an external server). 2. Run 'show ip access-list INBOUND_FILTER' and verify that a dynamic reflexive entry appears with the correct source/destination IPs and ports, and a time left countdown. 3. Confirm that return traffic is now passing (e.g., the connection is established and data flows).

Prevention

1. Always include the 'reflect' keyword on the outbound ACL permit statement and the 'evaluate' statement on the inbound ACL. 2. Apply the outbound ACL on the inside interface outbound and the inbound ACL on the same interface inbound. 3. Use 'show ip access-list' to verify dynamic entries after testing a connection.

CCNA Exam Relevance

On the CCNA 200-301 exam, reflexive ACLs are tested in troubleshooting scenarios. Questions may present a configuration with missing 'reflect' or 'evaluate' keywords, or incorrect application direction. Candidates must identify why return traffic is dropped and know the correct syntax and placement.

Exam Tips

1.

Remember that reflexive ACLs are stateful for TCP only (unless extended with 'icmp' or 'udp' using additional statements).

2.

The 'evaluate' statement must reference the same name used in the 'reflect' keyword.

3.

Use 'show ip access-list' to see dynamic entries; if none appear, the outbound traffic is not matching the reflect rule.

Commands Used in This Scenario

show running-config

Displays the current active configuration in DRAM, showing all non-default settings.

Test Your CCNA Knowledge

Practice with scenario-based questions to prepare for the CCNA 200-301 exam.

Practice CCNA Questions