ASA 5510 Reboots When Adding Objects or ACL

Unanswered Question
Sep 10th, 2010

I have two Cisco ASA 5510 devices terminating multiple site to site VPNs. I am trying to creat a new nat0 rule on the outside interface which will allow traffic to pass from one VPN to the other. When I try to add a specific group oject to a different oject group it causes the device to reboot and fail over. I also tried to create a whole ne object group and use that in a seperate NO_NAT acl but I get the same result. Has anyone else experienced this?

The device is running version 8.2(1) with ASDM 6.2(3)

Hardware:   ASA5510, 256 MB RAM, CPU Pentium 4 Celeron 1600 MHz
Internal ATA Compact Flash, 256MB
BIOS Flash AT49LW080 @ 0xffe00000, 1024KB

I have this problem too.
0 votes
  • 1
  • 2
  • 3
  • 4
  • 5
Overall Rating: 0 (0 ratings)
Federico Coto F... Fri, 09/10/2010 - 15:27

Sounds like a very ugly bug.

You say the ASA reboots, it doesn't hang.

I'll try to get away from 8.2(1) to 8.2(2) and see if the problem persists.


Lloyd_Tobias Mon, 09/13/2010 - 07:58

I researched the problem further and discovered the problem was with two specific objects that I  was trying to add to the object groups were giving me this problem. Could it be the configuration of these specific object groups that is causing this issue, and if so what should I look for?

Federico Coto F... Mon, 09/13/2010 - 08:11

I imagine that it mith be related to the specific consequences of having those objects added to the configuration but I can't think of an object that would cause that...

Can you share the relevant part of your configuration with the objects that you were adding and perhaps we can figure why this is happening.


Nagaraja Thanthry Mon, 09/13/2010 - 08:19


Do you have these objects groups as part of any access-lists? Can you

reproduce the issue? If yes, can you try to remove the corresponding

access-list line and then change the object-group and see if that makes any

difference? It could be related to a software defect but we need to identify

the exact root cause before determining the bug ID.



Lloyd_Tobias Mon, 09/13/2010 - 08:45
I tried that with second group I created below and it did the same thing.

ACL = access-list NO_NAT_SITE-TO-SITE extended permit ip object-group Acme_Global_NO_NAT object-group Acme_Global_NO_NAT

Group I am trying to add to:

object-group network Acme_Global_NO_NAT
network-object xx.0.0.0
network-object xxx.16.0.0
network-object xxx.168.0.0
network-object xx.45.18.32
network-object xx.45.115.32
network-object xx.45.18.0
network-object xx.45.112.224
network-object xxx.177.196.128
network-object host xxx.177.196.241
network-object xxx.40.49.0
network-object xxx.40.50.0
network-object xxx.40.53.0
network-object xxx.40.54.0
network-object xxx.40.55.0
network-object xxx.40.56.0

Group Object I am trying to add:

object-group network AcmeCom
network-object xxx.189.35.128

I also have the same problem with these two objects

ACL =a ccess-list NO_NAT_SITE-TO-SITE extended permit ip object-group Acme_Remote_Asia object-group AcmeCom

object-group network Acme_Remote_Asia
group-object Acme_Singapore
group-object Acme_Taiwan
group-object Acme_Malaysia
group-object Acme_India
group-object Acme_Hong_Kong_2
group-object Acme_Hong_Kong_1
group-object Acme_Thailand
group-object Acme_China_1
group-object Acme_New_Zealand

object-group network Acme_China_2
description xx.180.30.128/27_Office
network-object xx.180.30.128

Message was edited by: Lloyd Tobias

Federico Coto F... Mon, 09/13/2010 - 14:17

The problem is when you add those IPs (in the object-group).

Is that object-group being referenced by a NAT command or ACL somewhere?

Are the IPs that you're adding to the object-group part of the router itself (represents an IP from the router)?


Lloyd_Tobias Mon, 09/13/2010 - 14:23

No they are both related to remote networks connected thro

ugh VPN so the are ralated to NAT rules once they are added to

the individual groups.


This Discussion