Access-list sequence number change causes 400 invalid-value error

[jakubpech]

Hi,

moving acl rules to different sequence numbers cause client error.

│ Error: Client Error
│ 
│   with iosxe_access_list_extended.cx-nl-ams-01_extended-acl-gi2,
│   on cx-nl-ams-01_services.tf line 237, in resource "iosxe_access_list_extended" "cx-nl-ams-01_extended-acl-gi2":
│  237: resource "iosxe_access_list_extended" "cx-nl-ams-01_extended-acl-gi2" {
│ 
│ Failed to configure object (PATCH), got error: HTTP Request failed:
│ StatusCode 400, RESTCONF errors {Error:[{ErrorType:application
│ ErrorTag:invalid-value ErrorAppTag:
│ ErrorPath:/Cisco-IOS-XE-native:native/ip/access-list/Cisco-IOS-XE-acl:extended
│ ErrorMessage:inconsistent value: Device refused one or more commands
│ ErrorInfo:}]} {PatchId: GlobalStatus:{Ok:false Errors:{Error:[]}}
│ EditStatus:{Edit:[]} Errors:{Error:[]}}

Steps to reproduce:

1. Deploy ACL below

resource "iosxe_access_list_extended" "cx-nl-ams-01_extended-acl-gi2" {
  provider = iosxe.cx-nl-ams-01_provider
  name     = "INTERFACE-GI2-ACL-IN-INTERNET"
  entries = [
    {
      sequence = 10
      ace_rule_action   = "permit"
      ace_rule_protocol = "ip"
      source_host       = "11.22.33.44"
      destination_any   = true
      log               = true
    },
    {
      sequence = 20
      ace_rule_action    = "permit"
      ace_rule_protocol  = "ip"
      source_prefix      = "156.114.0.0"
      source_prefix_mask = "0.0.15.255"
      destination_any    = true
      log                = true
    },
    {
      sequence = 30
      ace_rule_action               = "permit"
      ace_rule_protocol             = "tcp"
      source_any                    = true
      source_port_lesser_than       = "1024"
      destination_any               = true
      destination_port_greater_than = "1023"
      established                   = true
      log                           = true
    },
    {
      sequence = 40
      # remark            = "Default deny"
      ace_rule_action   = "deny"
      ace_rule_protocol = "ip"
      source_any        = true
      destination_any   = true
      log               = true
    }
  ]
}

2. Change ACL to the following code (insert seq 20 and renumber the rest)

resource "iosxe_access_list_extended" "cx-nl-ams-01_extended-acl-gi2" {
  provider = iosxe.cx-nl-ams-01_provider
  name     = "INTERFACE-GI2-ACL-IN-INTERNET"
  entries = [
    {
      sequence = 10
      ace_rule_action   = "permit"
      ace_rule_protocol = "ip"
      source_host       = "11.22.33.44"
      destination_any   = true
      log               = true
    },
    {
      sequence = 20
      ace_rule_action   = "permit"
      ace_rule_protocol = "ip"
      source_host       = "55.66.77.88"
      destination_any   = true
      log               = true
    },
    {
      sequence = 30
      ace_rule_action    = "permit"
      ace_rule_protocol  = "ip"
      source_prefix      = "156.114.0.0"
      source_prefix_mask = "0.0.15.255"
      destination_any    = true
      log                = true
    },
    {
      sequence = 40
      ace_rule_action               = "permit"
      ace_rule_protocol             = "tcp"
      source_any                    = true
      source_port_lesser_than       = "1024"
      destination_any               = true
      destination_port_greater_than = "1023"
      established                   = true
      log                           = true
    },
    {
      sequence = 50
      # remark            = "Default deny"
      ace_rule_action   = "deny"
      ace_rule_protocol = "ip"
      source_any        = true
      destination_any   = true
      log               = true
    }
  ]
}

Available workaround:

• destroy the original ACL
• deploy modified ACL