01-04-2008 05:35 AM - edited 03-11-2019 04:43 AM
Hello,
I'm having a little bit of a problem trying to remove an access list that includes object groups. When I try to remove an access list with the "no" proceeding the access list it give me this error: Specified access-list does not exist.
The reason I tried deleting the access list is because even after adding IP addresses to a object group, it wasn't giving me the desired results.
As I stated earlier, I tried deleting the ACL with no luck, but I am able to add the exact ACL into the config which allows me to use the object groups with the desired effect.
Here is my current config, or at least parts that are relevant:
ASA Version 7.2(2)
....
object-group network allowed
network-object xx.xx.222.0 255.255.255.0
network-object xx.xx.190.4 255.255.255.255
network-object xx.xx.169.150 255.255.255.255
network-object xx.xx.67.202 255.255.255.255
network-object xx.xx.190.12 255.255.255.255
object-group service web tcp
port-object eq www
port-object eq https
object-group service asterisk udp
port-object eq sip
port-object eq 4569
port-object eq 5036
access-list 101 extended permit udp any gt 1023 interface outside object-group asterisk
access-list 101 extended permit tcp object-group allowed gt 1023 interface outside object-group web
access-list 101 extended permit tcp object-group allowed gt 1023 interface outside eq ssh
access-list 101 extended permit tcp object-group allowed gt 1023 interface outside eq ssh
....
: end
show ver:
Cisco Adaptive Security Appliance Software Version 7.2(2)
Device Manager Version 5.2(2)
....
I work for an ISP so I have access to other hardware, and this problem is happening on multiple ASA firewalls, so I'm assuming its a bug in the IOS, but I could be wrong. Any help would be greatly appreciated.
01-04-2008 06:11 AM
If you are trying to remove the entire access list you will need to type:
clear configure access-list 101
01-04-2008 07:57 AM
Hello,
I'm only trying to remove this ACL:
access-list 101 extended permit tcp object-group allowed gt 1023 interface outside eq ssh
As you can see, it's in the configuration twice. When I try to remove it with:
no access-list 101 extended permit tcp object-group allowed gt 1023 interface outside eq ssh
it will delete one, but not both.
01-04-2008 08:05 AM
That is a very strange issue as it shouldn't of allowed you to put duplicate entries in your ACL. I would recommend clearing the ACL and rebuilding it.
01-04-2008 06:27 AM
If you are trying to remove the entire access list you will need to type:
clear configure access-list 101
01-04-2008 08:04 AM
I think he means he's only trying to remove that single ace. You may want to try removing the entire acl and recreating it.
01-04-2008 09:59 AM
Initial I tried removing the single instance of this ACL when it wouldn't accept any changes that I made to the access group. Since I couldn't remove it, I wanted to see what would happen if I re-entered it into the config. It accepted it, I can delete the previously created one, but still cannot delete the older one.
I don't want to remove ACL 101. I want to know why I'm having this problem. This isn't the first ASA 5505 I've had this exact problem with. I thought it was initially maybe something wrong with the IOS, so I switched to a new ASA, but I'm still experiencing the same problems.
The initial configuration is fine, I can add and delete from the access group with the changes taking effect immediately, and I can add and remove ACL without a problem. It's only after the firewall has been running for a few months that this problem seems to occur. It is also connected to a cable modem, I don't know if that makes any difference. It shouldn't.
10-20-2010 03:40 PM
Hi Switchtower,
Did you ever get to the bottom of this? I am experiencing the same issue so I'd be keen to see if you found a reosultion beyond rebuilding the ACL.
Cheers
Scott
10-20-2010 09:22 PM
Hello People,
I need to get my eyes into this, would you please (if you have time for a maintenance window) reload any of these devices that are having the problem? Are all of them running the same code?
Ill try to get this resolve together with you.
Cheers
Mike
10-20-2010 11:10 PM
Sorry Mike,
These untis are live production with 1 hour downtime window a month and its at an ungodly hour. When the oppurtunity arises I will try this reload and let everyone know how it goes.
Cheers
Scott
10-21-2010 08:14 AM
Scott,
If you are running ASA 7.2 like the original poster, this issue might be caused by CSCsg08640. An upgrade to the latest 7.2 image should take care of the problem.
Hope that helps.
-Mike
10-21-2010 03:19 PM
Thanks Mike, thats probably it - I'm running 7.0.6 (gasp!) Time for an upgrade then.
Cheers
Scott
10-21-2010 08:39 PM
It would be a good idea also to try the workaround to make sure that we are hitting the bug, then the upgrade can be done. It all depends on you now
Cheers
Mike
10-22-2010 12:17 AM
I can do that easily enough.
What I'll do is try:
1. a simple reboot and remove
2. remove and re-add the ACLfrom the interface and remove the ACE
3. clear/delete the ACL entirely
4. OS upgrade
If anyone of those succeeds then thats as far as I'll be able to go but I'll do them in that order.
Give me a few weeks and I'll come back to this thread with my findings.
Cheers
Scott
Find answers to your questions by entering keywords or phrases in the Search bar above. New here? Use these resources to familiarize yourself with the community: