ASA5510 - endless "access-list remark" entries

Unanswered Question
Aug 11th, 2010

I have two 5510 as Failover pair.

On the primary active I have the phenomenon that from day to day

the running-configuration will get more and more the same entries

like this as example

access-list NAME remark VPN ueber Group NAME auf NAME

I can delete this entries but after a few days I have thousands entries again.

Result of the command: "sh ver"

Cisco Adaptive Security Appliance Software Version 8.0(3)
Device Manager Version 6.1(1)

Compiled on Tue 06-Nov-07 22:59 by builders
System image file is "disk0:/asa803-k8.bin"
Config file at boot was "startup-config"

asa5510 up 7 days 0 hours
failover cluster up 265 days 2 hours

Hardware:   ASA5510, 256 MB RAM, CPU Pentium 4 Celeron 1600 MHz
Internal ATA Compact Flash, 64MB
BIOS Flash M50FW080 @ 0xffe00000, 1024KB

Encryption hardware device : Cisco ASA-55x0 on-board accelerator (revision 0x0)
                             Boot microcode   :  CN1000-MC-BOOT-2.00
                             SSL/IKE microcode:  CNLite-MC-SSLm-PLUS-2.01
                             IPSec microcode  :  CNlite-MC-IPSECm-MAIN-2.04
0: Ext: Ethernet0/0         : address is 0017.5a88.abc0, irq 9
1: Ext: Ethernet0/1         : address is 0017.5a88.abc1, irq 9
2: Ext: Ethernet0/2         : address is 0017.5a88.abc2, irq 9
3: Ext: Ethernet0/3         : address is 0017.5a88.abc3, irq 9
4: Ext: Management0/0       : address is 0017.5a88.abbf, irq 11
5: Int: Internal-Data0/0    : address is 0000.0001.0002, irq 11
6: Int: Internal-Control0/0 : address is 0000.0001.0001, irq 5

Licensed features for this platform:
Maximum Physical Interfaces  : Unlimited
Maximum VLANs                : 100      
Inside Hosts                 : Unlimited
Failover                     : Active/Active
VPN-DES                      : Enabled  
VPN-3DES-AES                 : Enabled  
Security Contexts            : 2        
GTP/GPRS                     : Disabled 
VPN Peers                    : 250      
WebVPN Peers                 : 10       
AnyConnect for Mobile        : Disabled 
AnyConnect for Linksys phone : Disabled 
Advanced Endpoint Assessment : Disabled 

This platform has an ASA 5510 Security Plus license.

  • 1
  • 2
  • 3
  • 4
  • 5
Overall Rating: 0 (0 ratings)
Marcus Hunold Wed, 08/11/2010 - 08:11

the courios is that the secondary ASA5510 have more entries of this as the primary.

So in Mbyte I have from the primary 8MB configuration file and from the secondary 12MB

After I delete this thousands of entries the configuration file is only 74kb

Allen P Chen Wed, 08/11/2010 - 10:52

Hi Marcus,

Do you mostly use ASDM to manage the ASA?  Can you try the following via CLI without logging into ASDM?

1.  Copy the problematic ACL with the duplicate remarks into a text file

show run access-list NAME

2.  Remove all the duplicate remarks in the ACL on the text file

3.  Change the access-list name on the text file (for example, to access-list NAME_2)

4.  Copy access-list NAME_2 from the text file and paste it into the ASA

5.  Change the access-group from NAME to NAME_2

Does the resolve the issue with the duplicate remarks?

Marcus Hunold Thu, 08/26/2010 - 04:51

Finally I have deleted the remark entries where the duplicate problem exist.

Since that time problem is solved and I will strongly think about if I use remark again in that area of access lists...

PS: Nearly all configuration changes were made with the ASDM.


This Discussion