ASA5510 - endless "access-list remark" entries

Marcus Hunold · ‎08-11-2010

I have two 5510 as Failover pair.

On the primary active I have the phenomenon that from day to day

the running-configuration will get more and more the same entries

like this as example

access-list NAME remark VPN ueber Group NAME auf NAME

I can delete this entries but after a few days I have thousands entries again.

Result of the command: "sh ver"

Cisco Adaptive Security Appliance Software Version 8.0(3)
Device Manager Version 6.1(1)

Compiled on Tue 06-Nov-07 22:59 by builders
System image file is "disk0:/asa803-k8.bin"
Config file at boot was "startup-config"

asa5510 up 7 days 0 hours
failover cluster up 265 days 2 hours

Hardware:   ASA5510, 256 MB RAM, CPU Pentium 4 Celeron 1600 MHz
Internal ATA Compact Flash, 64MB
BIOS Flash M50FW080 @ 0xffe00000, 1024KB

Encryption hardware device : Cisco ASA-55x0 on-board accelerator (revision 0x0)
                             Boot microcode   : CN1000-MC-BOOT-2.00
                             SSL/IKE microcode: CNLite-MC-SSLm-PLUS-2.01
                             IPSec microcode : CNlite-MC-IPSECm-MAIN-2.04
0: Ext: Ethernet0/0         : address is 0017.5a88.abc0, irq 9
1: Ext: Ethernet0/1         : address is 0017.5a88.abc1, irq 9
2: Ext: Ethernet0/2         : address is 0017.5a88.abc2, irq 9
3: Ext: Ethernet0/3         : address is 0017.5a88.abc3, irq 9
4: Ext: Management0/0       : address is 0017.5a88.abbf, irq 11
5: Int: Internal-Data0/0    : address is 0000.0001.0002, irq 11
6: Int: Internal-Control0/0 : address is 0000.0001.0001, irq 5

Licensed features for this platform:
Maximum Physical Interfaces : Unlimited
Maximum VLANs                : 100
Inside Hosts                 : Unlimited
Failover                     : Active/Active
VPN-DES                      : Enabled
VPN-3DES-AES                 : Enabled
Security Contexts            : 2
GTP/GPRS                     : Disabled
VPN Peers                    : 250
WebVPN Peers                 : 10
AnyConnect for Mobile        : Disabled
AnyConnect for Linksys phone : Disabled
Advanced Endpoint Assessment : Disabled

This platform has an ASA 5510 Security Plus license.

Marcus Hunold · ‎08-11-2010

the courios is that the secondary ASA5510 have more entries of this as the primary.

So in Mbyte I have from the primary 8MB configuration file and from the secondary 12MB

After I delete this thousands of entries the configuration file is only 74kb

Allen P Chen · ‎08-11-2010

Hi Marcus,

Do you mostly use ASDM to manage the ASA? Can you try the following via CLI without logging into ASDM?

1. Copy the problematic ACL with the duplicate remarks into a text file

show run access-list NAME

2. Remove all the duplicate remarks in the ACL on the text file

3. Change the access-list name on the text file (for example, to access-list NAME_2)

4. Copy access-list NAME_2 from the text file and paste it into the ASA

5. Change the access-group from NAME to NAME_2

Does the resolve the issue with the duplicate remarks?

Marcus Hunold · ‎08-26-2010

Finally I have deleted the remark entries where the duplicate problem exist.

Since that time problem is solved and I will strongly think about if I use remark again in that area of access lists...

PS: Nearly all configuration changes were made with the ASDM.