Cisco Support Community
cancel
Showing results for 
Search instead for 
Did you mean: 
New Member

ISA550W ACL Rules "hanging"

Hey guys, I'm running an ISA550W with firmware 1.2.15 firmware on it.  I've got a handful of LAN interfaces configured, including two functioning as DMZs (but I didn't see the point of configuring them as a DMZs?) - see attached for details.

So far it's working great, but every now and then the only ACL rule I've manually added stops working and cuts off my access to the OOB Mgmt LAN.  If I "Reset" the ACL table, the rule immediately starts working again and access is restored.

Has anyone else seen this?  Any other options for remediation?

Thanks,

Phil

Everyone's tags (4)
2 ACCEPTED SOLUTIONS

Accepted Solutions
Cisco Employee

ISA550W ACL Rules "hanging"

Hi Phil,

We did see some issues with AnyConnect affecting the ACLs.  The good news s 1.2.17 has just been released.  Please upgrade to 1.2.17 and test to see if that helps.

Let me know if you have any questions regarding this.

Thanks,

Brandon

Cisco Employee

ISA550W ACL Rules "hanging"

Hi Phil,

Let me know if you still see those issues with the ACLs.  I'm not seeing what you mentioned, but we can investigate it if you continue to see that.

Thanks,

Brandon

16 REPLIES
Cisco Employee

ISA550W ACL Rules "hanging"

Hi Phil,

By any chance, do you have SSL VPN enabled and do you have users connecting via the AnyConnect client?

Thanks,

Brandon

ISA550W ACL Rules "hanging"

I don't know what hanging means, but you could also set the security level of Production one point higher than OOB, then you don't need any rules.

Michael

Please rate all helpful posts

Michael Please rate all helpful posts
New Member

ISA550W ACL Rules "hanging"

Michael, I appreciate the help but the ISA550 doesn't support custom security levels.  You're/I'm stuck with the five that come with the appliance: 0, 25, 50, 75, 100.

New Member

ISA550W ACL Rules "hanging"

Brandon, yes to both!  I'm using the AnyConnect client on both Android and iOS and will probably roll out to laptops as well.  Is there a documented incompatibility here?

Cisco Employee

ISA550W ACL Rules "hanging"

Hi Phil,

We did see some issues with AnyConnect affecting the ACLs.  The good news s 1.2.17 has just been released.  Please upgrade to 1.2.17 and test to see if that helps.

Let me know if you have any questions regarding this.

Thanks,

Brandon

New Member

ISA550W ACL Rules "hanging"

Brandon, strangely enough the ISA550W seemed to work ok throughout the day yesterday but I did upgrade to the newest firmware last night.

Also, just so you know, I had issues adding a new ACL rule a couple nights ago.  I'd configure it and click "Save" but when I refreshed it wasn't there.  I rebooted the ISA and tried again and it worked.  I think there's something funny going on in the ACL code on this box...

Either way, it seems to be working ok today but I'll keep you posted.

Thanks!

Cisco Employee

ISA550W ACL Rules "hanging"

Hi Phil,

Let me know if you still see those issues with the ACLs.  I'm not seeing what you mentioned, but we can investigate it if you continue to see that.

Thanks,

Brandon

New Member

ISA550W ACL Rules "hanging"

Thanks Brandon.  So far I'm really impressed with this little box.  I never played with the SA520 but I'm pretty happy to have AnyConnect/Mobile included on an SMB product!

New Member

Re: ISA550W ACL Rules "hanging"

Brandon,

The ISA550W is acting up again.  Outbound Internet access is working but none of my DMZs are accessible any more.  I've got a Cisco Meraki security appliance on the way so I think I'm going to have to swap the ISA for my spare 5505 until the Meraki gets here or the issues are resolved.  I even tried rebooting the appliance 4 hours ago but DMZ traffic is still not passing.

It's a real shame.  I've been thrilled to use AnyConnect to access my ESXi host remotely but it doesn't do me any good if the appliance is randomly dropping connections and ignoring firewall rules.  Doesn't Cisco test these things before releasing them for sale?

Cisco Employee

Re: ISA550W ACL Rules "hanging"

Hi Phil,

Do you have logs surrounding attempts to access devices on the DMZ?  Can you gather the System Diagnostics surrounding when this is seen?  It may be a good idea to open a case with SBSC for this.

Thanks,

Brandon

New Member

Re: ISA550W ACL Rules "hanging"

Brandon, I just checked my purchase records and usually (as a Channel Partner) I buy SMARTNet on everything but somehow I forgot to get it on my ISA550.  On one hand it's only $50 to get it covered but on the other it seems like people on these forums are returning their ISAs left and right because they're not up to snuff.  Why pay $50 to get coverage on a device just so TAC can agree that it's broken?

Now I know how my customers feel sometimes...

PS  I can definitely pull some logs though.  Let me boot everything up and see what I can get.

Gold

Re: ISA550W ACL Rules "hanging"

Phil,

1 year of phone support is included with the ISA500 series. Support is 8x5 (M-F 9am-6pm local time)

The contract gets you 3 years of support plus Next Business Day replacement if necessary.

Please call and open a case so we can help you get the issue resolved. Please reference this post when you call.

- Marty

New Member

Re: ISA550W ACL Rules "hanging"

Marty, I had completely forgotten about that.  Thanks for the reminder!

I'm thinking of starting a hosted/managed services practice within my business so I'm REALLY hoping the ISA550/570s stabilize in the next few firmware releases.  I'd love to use them as our go-to WAN router!

Looking forward to opening up that case tomorrow...

New Member

Re: ISA550W ACL Rules "hanging"

Marty, I called the SBSC and they said my config looked fine.  The only suggestion they had was to run a remote Syslog server to catch logs with

Cisco Employee

Re: ISA550W ACL Rules "hanging"

Hi Phil,

What is your case number?  Normally, we like to get logs surrounding when this is seen along with System Diagnostics.  Logs to a syslog server are good too as they can show what is going on leading up to when this is seen.  Depending on what we see in the logs, we can look at other things, too. 

Thanks,

Brandon

New Member

Re: ISA550W ACL Rules "hanging"

SBSC Case 626677317

My engineer closed the case (with my permission) but said I could re-open within 10 days.  I'll try to get Syslog up and going by tomorrow.  Things have been running well for a couple days now so I'm due for another traffic failure pretty soon...

1029
Views
0
Helpful
16
Replies
CreatePlease to create content