cancel
Showing results for 
Search instead for 
Did you mean: 
cancel
6352
Views
0
Helpful
13
Replies

Specified access-list does not exist ASA 5505

switchtower
Level 1
Level 1

Hello,

I'm having a little bit of a problem trying to remove an access list that includes object groups. When I try to remove an access list with the "no" proceeding the access list it give me this error: Specified access-list does not exist.

The reason I tried deleting the access list is because even after adding IP addresses to a object group, it wasn't giving me the desired results.

As I stated earlier, I tried deleting the ACL with no luck, but I am able to add the exact ACL into the config which allows me to use the object groups with the desired effect.

Here is my current config, or at least parts that are relevant:

ASA Version 7.2(2)

....

object-group network allowed

network-object xx.xx.222.0 255.255.255.0

network-object xx.xx.190.4 255.255.255.255

network-object xx.xx.169.150 255.255.255.255

network-object xx.xx.67.202 255.255.255.255

network-object xx.xx.190.12 255.255.255.255

object-group service web tcp

port-object eq www

port-object eq https

object-group service asterisk udp

port-object eq sip

port-object eq 4569

port-object eq 5036

access-list 101 extended permit udp any gt 1023 interface outside object-group asterisk

access-list 101 extended permit tcp object-group allowed gt 1023 interface outside object-group web

access-list 101 extended permit tcp object-group allowed gt 1023 interface outside eq ssh

access-list 101 extended permit tcp object-group allowed gt 1023 interface outside eq ssh

....

: end

show ver:

Cisco Adaptive Security Appliance Software Version 7.2(2)

Device Manager Version 5.2(2)

....

I work for an ISP so I have access to other hardware, and this problem is happening on multiple ASA firewalls, so I'm assuming its a bug in the IOS, but I could be wrong. Any help would be greatly appreciated.

13 Replies 13

adam.sellhorn
Level 4
Level 4

If you are trying to remove the entire access list you will need to type:

clear configure access-list 101

Hello,

I'm only trying to remove this ACL:

access-list 101 extended permit tcp object-group allowed gt 1023 interface outside eq ssh

As you can see, it's in the configuration twice. When I try to remove it with:

no access-list 101 extended permit tcp object-group allowed gt 1023 interface outside eq ssh

it will delete one, but not both.

That is a very strange issue as it shouldn't of allowed you to put duplicate entries in your ACL. I would recommend clearing the ACL and rebuilding it.

adam.sellhorn
Level 4
Level 4

If you are trying to remove the entire access list you will need to type:

clear configure access-list 101

I think he means he's only trying to remove that single ace. You may want to try removing the entire acl and recreating it.

Initial I tried removing the single instance of this ACL when it wouldn't accept any changes that I made to the access group. Since I couldn't remove it, I wanted to see what would happen if I re-entered it into the config. It accepted it, I can delete the previously created one, but still cannot delete the older one.

I don't want to remove ACL 101. I want to know why I'm having this problem. This isn't the first ASA 5505 I've had this exact problem with. I thought it was initially maybe something wrong with the IOS, so I switched to a new ASA, but I'm still experiencing the same problems.

The initial configuration is fine, I can add and delete from the access group with the changes taking effect immediately, and I can add and remove ACL without a problem. It's only after the firewall has been running for a few months that this problem seems to occur. It is also connected to a cable modem, I don't know if that makes any difference. It shouldn't.

Hi Switchtower,

Did you ever get to the bottom of this? I am experiencing the same issue so I'd be keen to see if you found a reosultion beyond rebuilding the ACL.

Cheers

Scott

Hello People,

I need to get my eyes into this, would you please (if you have time for a maintenance window) reload any of these devices that are having the problem? Are all of them running the same code?

Ill try to get this resolve together with you.

Cheers

Mike

Mike

Sorry Mike,

These untis are live production with 1 hour downtime window a month and its at an ungodly hour. When the oppurtunity arises I will try this reload and let everyone know how it goes.

Cheers

Scott

Scott,

If you are running ASA 7.2 like the original poster, this issue might be caused by CSCsg08640. An upgrade to the latest 7.2 image should take care of the problem.

Hope that helps.

-Mike

Thanks Mike, thats probably it - I'm running 7.0.6 (gasp!) Time for an upgrade then.

Cheers

Scott

It would be a good idea also to try the workaround to make sure that we are hitting the bug, then the upgrade can be done. It all depends on you now

Cheers

Mike

Mike

I can do that easily enough.

What I'll do is try:

1. a simple reboot and remove

2. remove and re-add the ACLfrom the interface and remove the ACE

3. clear/delete the ACL entirely

4. OS upgrade

If anyone of those succeeds then thats as far as I'll be able to go but I'll do them in that order.

Give me a few weeks and I'll come back to this thread with my findings.

Cheers

Scott

Getting Started

Find answers to your questions by entering keywords or phrases in the Search bar above. New here? Use these resources to familiarize yourself with the community: