ASA5510 - endless "access-list remark" entries

Unanswered Question
Aug 11th, 2010
User Badges:

I have two 5510 as Failover pair.


On the primary active I have the phenomenon that from day to day

the running-configuration will get more and more the same entries


like this as example


access-list NAME remark VPN ueber Group NAME auf NAME


I can delete this entries but after a few days I have thousands entries again.




Result of the command: "sh ver"

Cisco Adaptive Security Appliance Software Version 8.0(3)
Device Manager Version 6.1(1)

Compiled on Tue 06-Nov-07 22:59 by builders
System image file is "disk0:/asa803-k8.bin"
Config file at boot was "startup-config"

asa5510 up 7 days 0 hours
failover cluster up 265 days 2 hours

Hardware:   ASA5510, 256 MB RAM, CPU Pentium 4 Celeron 1600 MHz
Internal ATA Compact Flash, 64MB
BIOS Flash M50FW080 @ 0xffe00000, 1024KB

Encryption hardware device : Cisco ASA-55x0 on-board accelerator (revision 0x0)
                             Boot microcode   :  CN1000-MC-BOOT-2.00
                             SSL/IKE microcode:  CNLite-MC-SSLm-PLUS-2.01
                             IPSec microcode  :  CNlite-MC-IPSECm-MAIN-2.04
0: Ext: Ethernet0/0         : address is 0017.5a88.abc0, irq 9
1: Ext: Ethernet0/1         : address is 0017.5a88.abc1, irq 9
2: Ext: Ethernet0/2         : address is 0017.5a88.abc2, irq 9
3: Ext: Ethernet0/3         : address is 0017.5a88.abc3, irq 9
4: Ext: Management0/0       : address is 0017.5a88.abbf, irq 11
5: Int: Internal-Data0/0    : address is 0000.0001.0002, irq 11
6: Int: Internal-Control0/0 : address is 0000.0001.0001, irq 5

Licensed features for this platform:
Maximum Physical Interfaces  : Unlimited
Maximum VLANs                : 100      
Inside Hosts                 : Unlimited
Failover                     : Active/Active
VPN-DES                      : Enabled  
VPN-3DES-AES                 : Enabled  
Security Contexts            : 2        
GTP/GPRS                     : Disabled 
VPN Peers                    : 250      
WebVPN Peers                 : 10       
AnyConnect for Mobile        : Disabled 
AnyConnect for Linksys phone : Disabled 
Advanced Endpoint Assessment : Disabled 

This platform has an ASA 5510 Security Plus license.

  • 1
  • 2
  • 3
  • 4
  • 5
Overall Rating: 0 (0 ratings)
Loading.
Marcus Hunold Wed, 08/11/2010 - 08:11
User Badges:

the courios is that the secondary ASA5510 have more entries of this as the primary.


So in Mbyte I have from the primary 8MB configuration file and from the secondary 12MB


After I delete this thousands of entries the configuration file is only 74kb

Allen P Chen Wed, 08/11/2010 - 10:52
User Badges:
  • Cisco Employee,

Hi Marcus,


Do you mostly use ASDM to manage the ASA?  Can you try the following via CLI without logging into ASDM?


1.  Copy the problematic ACL with the duplicate remarks into a text file


show run access-list NAME


2.  Remove all the duplicate remarks in the ACL on the text file


3.  Change the access-list name on the text file (for example, to access-list NAME_2)


4.  Copy access-list NAME_2 from the text file and paste it into the ASA


5.  Change the access-group from NAME to NAME_2


Does the resolve the issue with the duplicate remarks?

Marcus Hunold Thu, 08/26/2010 - 04:51
User Badges:

Finally I have deleted the remark entries where the duplicate problem exist.

Since that time problem is solved and I will strongly think about if I use remark again in that area of access lists...


PS: Nearly all configuration changes were made with the ASDM.

Actions

This Discussion