Cisco Support Community
cancel
Showing results for 
Search instead for 
Did you mean: 
Announcements
Step-by-Step Configuration and Troubleshooting Best Practices for the NGFW, NGIPS and AMP Technologies A Visual Guide to the Cisco Firepower Threat Defense (FTD)
Community Member

Cisco ASA 8.4(7)- ACL remark line is missing in 'show running-config'


We have a problem in our ASA configuration.
In some cases, ACL remarks lines are appearing in 'show access-list' output ,but not in 'show running-config' output. 
This causes that the ACL line numbers will be calculated incorrectly, since the remark lines are missing.

You can see that the remark 5058 is appearing 8 times under "'show access-list":


  12631 access-list inside_access_out line 38 remark 5058
    12633   access-list inside_access_out line 39 extended permit tcp host 10.20.85.19 10.30.85.16 255.255.255.240 eq 1923 log informational interval 300 (hitcnt=0) 0xe30d227d
 ...
  12645 access-list inside_access_out line 40 remark 5058
  12646 access-list inside_access_out line 41 extended permit object-group gr-FireFlow-5058-Service-2 object range-10.30.6.179-10.30.6.181 object-group gr-FireFlow-5058-Destination-2 log informational   12646 interval 300 0x8394c38d
  12647   access-list inside_access_out line 41 extended permit tcp range 10.30.6.179 10.30.6.181 host 10.30.85.16 eq 9094 log informational interval 300 (hitcnt=0) 0x0e97aedf
  12648 access-list inside_access_out line 42 remark 5058
  12649   access-list inside_access_out line 42 extended permit tcp range 10.30.6.179 10.30.6.181 host 10.30.85.18 eq 9094 log informational interval 300 (hitcnt=0) 0xaebfd4f9
  12650 access-list inside_access_out line 43 remark 5058
  12651   access-list inside_access_out line 43 extended permit tcp range 10.30.6.179 10.30.6.181 host 10.30.85.16 eq ssh log informational interval 300 (hitcnt=0) 0x30cba006
  12652 access-list inside_access_out line 44 remark 5058
  12653   access-list inside_access_out line 44 extended permit tcp range 10.30.6.179 10.30.6.181 host 10.30.85.18 eq ssh log informational interval 300 (hitcnt=0) 0x73b5de31
  12654 access-list inside_access_out line 45 remark 5058
  12655 access-list inside_access_out line 46 extended permit object-group gr-FireFlow-5058-Service-2 object-group gr-FireFlow-5058-Source-2 object-group gr-FireFlow-5058-Destination-2 log informationa  12655 l interval 300 0xab300e63
  12656   access-list inside_access_out line 46 extended permit tcp host 10.20.85.19 host 10.30.85.16 eq 9094 log informational interval 300 (hitcnt=0) 0x59bf3ab1
  ...
  12664 access-list inside_access_out line 47 remark 5058
  12665 access-list inside_access_out line 48 extended permit tcp host 10.20.85.19 host 10.30.85.192 eq ssh log informational interval 300 (hitcnt=0) 0x010d8dd1
  12666 access-list inside_access_out line 49 remark 5058
  12667 access-list inside_access_out line 50 extended permit tcp 10.20.85.18 255.255.255.254 10.30.85.192 255.255.255.254 eq ssh log informational interval 300 (hitcnt=0) 0x77cfd4cd

 

but only 5 times under "show running-config":


 5946 access-list inside_access_out remark FireFlow #141
   5947 access-list inside_access_out remark 5058
   5948 access-list inside_access_out remark 5058
   5949 access-list inside_access_out remark 5058
   5950 access-list inside_access_out remark 5058
   5951 access-list inside_access_out remark 5058
   5952 access-list inside_access_out remark FireFlow #1517
   
I found a documentation about a very similar bug on other versions: 8.3(2.18) - 8.4(3) here: CSCtq12090
(also here: A possible bug related to the Cisco ASA "show access-list"? | Firewalling | Cisco Support Community | 5966 | 12027521)


Has anybody seen this problem before? Is this a known problem? 
Thanks in advance

 

130
Views
0
Helpful
0
Replies
CreatePlease to create content