Core issue
In Firewall Services Module (FWSM), the modification of an access control list (ACL) that contains object-groups leads to misordered ACL rules. In other words, the order of access control entries (ACEs) becomes corrupted.
As a result, the packets hit the wrong ACEs within the same ACL.
This issue is due to the presence of Cisco bug ID CSCse60868.
Resolution
This issue is fixed in these FWSM versions:
In order to resolve this issue, download the latest code from Cisco Downloads.