We have a clustered environement with 5550 and 5580 ASA ,
on one of the 5580 clusters running software version 8.2 with ASDM 6.4 in one specific context we had the wierdest of behaviour in a DMZ
... after saving a config following an add to the policy we got the message that it could not upload due to :
"Specified access-list does not exist at that line"
carefull analyse reveiled that we had a sync issue between the CLI and the ASDM , in fact the first rule visible in the ASDM which held an udp/SNMP access between 2 vlan didn't exist in the cli access-list ... so when the ASDM tried to write away the policy the lines didn't match
we tried removing the line in de ASDM and apply it , the reply told us that "no changes have been made" , after some intensive trying we reverted from version ASDM 6.4 to 6.2 (cfr a ticket found on this site with a similar issue) and indeed the issue disappeared , however on upgrading again to 6.4 .. the problem immediately activated again ... we have no idea how de ASDM in version 6.4 found the SNMP rule which isn't present at all in the CLI of the ASa system and why a downgrade to 6.2 doesn't see it at all
when placing a copy of the snmp rule lower in the config and trying to delete the first one , after uploading and reloading it pushed the new rule up toward the first snmp rule and restored that deleted line
we eventually got out of the situation by creating the SNMP line lower on but adding not only the SNMP object but also the snmptrap object , as by miracle we could now delete the out of sync line at line nr 1 in de policy and save/upload. Since then the policy functions normal
if we however remove the snmptrap object from the new line and upload the issue immediately activates ... doesn anyone have an idea what happens here and how we could get out of it ? atm we have a working situation but idd rather know what causes this and have it fixed.
We have configured the outside and inside Interface with official ipv6 adresses, set a default route on outside Interface to our router, we also have definied a rule , which also gets hits, to permit tcp from inside Interface to any6.
In Syslog I also se...