Cisco Support Community
cancel
Showing results for 
Search instead for 
Did you mean: 
Announcements

Welcome to Cisco Support Community. We would love to have your feedback.

For an introduction to the new site, click here. And see here for current known issues.

New Member

Cannot remove access list

Hello,

There is an access-list in my configuration which I for some reason cannot get removed.

It looks like this:

access-list acl-nw; 2 elements

access-list acl-nw line 1 permit ip object-group siteA-ip object-group siteB-ip

access-list acl-nw line 1 permit ip 192.168.9.0 255.255.255.0 192.168.13.0 255.255.255.0 (hitcnt=0)

access-list acl-nw line 1 permit ip 192.168.10.0 255.255.255.0 192.168.13.0 255.255.255.0 (hitcnt=0)

When I try to "no access-list acl-nw line 1 permit ip object-group siteA-ip object-group siteB-ip" in configuration mode, I get the error:

ERROR: access-list <acl-nw> not found

But both the running config as "show access-list" show it as there.

I can even add a new ACL named exactly the same. So, in configuration mode trying "access-list acl-nw permit ip object-group siteA-ip object-group siteB-ip" will not only not produce an error, it will create the "acl-nw" ACL looking exactly the same as before.

After issueing the above command "show access-list" returns:

access-list acl-nw; 2 elements

access-list acl-nw permit ip object-group siteA-ip object-group siteB-ip

access-list acl-nw line 1 permit ip 192.168.9.0 255.255.255.0 192.168.13.0 255.255.255.0 (hitcnt=0)

access-list acl-nw line 1 permit ip 192.168.10.0 255.255.255.0 192.168.13.0 255.255.255.0 (hitcnt=0)

access-list acl-nw; 2 elements

access-list acl-nw permit ip object-group siteA-ip object-group siteB-ip

access-list acl-nw line 1 permit ip 192.168.9.0 255.255.255.0 192.168.13.0 255.255.255.0 (hitcnt=0)

access-list acl-nw line 1 permit ip 192.168.10.0 255.255.255.0 192.168.13.0 255.255.255.0 (hitcnt=0)

So it is in there twice.

I have tried clearing it with "clear access-list acl-nw" and with the "no" statements. I can clear the second one just fine, both with "clear" and "no".

I am at a loss. I cannot think of another way to remove that line.

Is this a known bug?

kind regards,

Kevin

7 REPLIES
New Member

Re: Cannot remove access list

Anybody?

Gold

Re: Cannot remove access list

i had this issue once, but it's not the acl name, it's the username.

i created a user named abc123, and later on i can't remove it, but yet i can create/delete a new abc123.

i simply think this is a bug.

Silver

Re: Cannot remove access list

I remember in my PIX class training an issue with dynamic ACL's where they could not be deleted the old tradional way. Because they are dynamic the trigger that creates the ACL needs to be halted. Then the Dynamic ACL will be release/removed...I personally have not come across this issue...Hopes this leads you in the right direction....

New Member

Re: Cannot remove access list

Interesting.

Does anybody know how to halt the trigger that creates the ACL?

Kevin

Silver

Re: Cannot remove access list

From what I remember, as long as something is triggering the ACL then it will always be there. I see from your ACL their is reference to an IP object-group ......access-list acl-nw line 1 permit ip object-group siteA-ip object-group siteB-ip . Your answer may lie in this object-group...

New Member

Re: Cannot remove access list

Unfortunately, I cannot remove those objectgroups since they are also used in a crypto match for a few VPN tunnels.

Does anybody know how to halt this process without removing those objectgroups?

Silver

Re: Cannot remove access list

I don't recall if their is any one command to turn off the VPN access, however the quick way may be to shut down the interface that the VPN tunnels come in on. Once that is done the access list should go away and you should be able to remove any reference of it, then bring the interface back up....

287
Views
5
Helpful
7
Replies