Cisco Support Community
cancel
Showing results for 
Search instead for 
Did you mean: 
Announcements
Step-by-Step Configuration and Troubleshooting Best Practices for the NGFW, NGIPS and AMP Technologies A Visual Guide to the Cisco Firepower Threat Defense (FTD)
Community Member

ASDM 6.4 policy out of sync with CLI access-list

Hello,

We have a clustered environement with 5550 and 5580 ASA ,

on one of the 5580 clusters running software version 8.2 with ASDM 6.4 in one specific context we had the wierdest of behaviour in a DMZ

... after saving a config following an add to the policy we got the message that it could not upload due to :

  "Specified access-list does not exist at that line"

carefull analyse reveiled that we had a sync issue between the CLI and the ASDM , in fact the first rule visible in the ASDM which held an udp/SNMP access between 2 vlan didn't exist in the cli access-list ... so when the ASDM tried to write away the policy the lines didn't match

we tried removing the line in de ASDM and apply it , the reply told us that "no changes have been made"  , after some intensive trying we reverted from version ASDM 6.4 to 6.2 (cfr a ticket found on this site with a similar issue) and indeed the issue disappeared , however on upgrading again to 6.4 .. the problem immediately activated again ... we have no idea how de ASDM in version 6.4 found the SNMP rule which isn't present at all in the CLI of the ASa system and why a downgrade to 6.2 doesn't see it at all

when placing a copy of the snmp rule lower in the config and trying to delete the first one , after uploading and reloading it pushed the new rule up toward the first snmp rule and restored that deleted line

we eventually got out of the situation by creating the SNMP line lower on but adding not only the SNMP object but also the snmptrap object , as by miracle we could now delete the out of sync line at line nr 1 in de policy and save/upload. Since then  the policy functions normal

if we however remove the snmptrap object from the new line and upload the issue immediately activates ... doesn anyone have an idea what happens here and how we could get out of it ? atm we have a working situation but idd rather know what causes this and have it fixed.

Regards,

Greetz

576
Views
0
Helpful
0
Replies
CreatePlease to create content