Re: ASA 5510 Reboots When Adding Objects or ACL

Lloyd_Tobias · ‎09-10-2010

I have two Cisco ASA 5510 devices terminating multiple site to site VPNs. I am trying to creat a new nat0 rule on the outside interface which will allow traffic to pass from one VPN to the other. When I try to add a specific group oject to a different oject group it causes the device to reboot and fail over. I also tried to create a whole ne object group and use that in a seperate NO_NAT acl but I get the same result. Has anyone else experienced this?

The device is running version 8.2(1) with ASDM 6.2(3)

Hardware: ASA5510, 256 MB RAM, CPU Pentium 4 Celeron 1600 MHz
Internal ATA Compact Flash, 256MB
BIOS Flash AT49LW080 @ 0xffe00000, 1024KB

Federico Coto Fajardo · ‎09-10-2010

Sounds like a very ugly bug.

You say the ASA reboots, it doesn't hang.

I'll try to get away from 8.2(1) to 8.2(2) and see if the problem persists.

Federico.

Lloyd_Tobias · ‎09-13-2010

I researched the problem further and discovered the problem was with two specific objects that I was trying to add to the object groups were giving me this problem. Could it be the configuration of these specific object groups that is causing this issue, and if so what should I look for?

Federico Coto Fajardo · ‎09-13-2010

I imagine that it mith be related to the specific consequences of having those objects added to the configuration but I can't think of an object that would cause that...

Can you share the relevant part of your configuration with the objects that you were adding and perhaps we can figure why this is happening.

Federico.

Nagaraja Thanthry · ‎09-13-2010

Hello,

Do you have these objects groups as part of any access-lists? Can you

reproduce the issue? If yes, can you try to remove the corresponding

access-list line and then change the object-group and see if that makes any

difference? It could be related to a software defect but we need to identify

the exact root cause before determining the bug ID.

Regards,

NT

Lloyd_Tobias · ‎09-13-2010

Nagaraja,

I tried that with second group I created below and it did the same thing.

ACL = access-list NO_NAT_SITE-TO-SITE extended permit ip object-group Acme_Global_NO_NAT object-group Acme_Global_NO_NAT

Group I am trying to add to:

object-group network Acme_Global_NO_NAT
network-object xx.0.0.0 255.0.0.0
network-object xxx.16.0.0 255.240.0.0
network-object xxx.168.0.0 255.255.0.0
network-object xx.45.18.32 255.255.255.224
network-object xx.45.115.32 255.255.255.224
network-object xx.45.18.0 255.255.255.224
network-object xx.45.112.224 255.255.255.224
network-object xxx.177.196.128 255.255.255.192
network-object host xxx.177.196.241
network-object xxx.40.49.0 255.255.255.0
network-object xxx.40.50.0 255.255.254.0
network-object xxx.40.53.0 255.255.255.0
network-object xxx.40.54.0 255.255.255.0
network-object xxx.40.55.0 255.255.255.0
network-object xxx.40.56.0 255.255.248.0

Group Object I am trying to add:

object-group network AcmeCom
network-object xxx.189.35.128 255.255.255.192

I also have the same problem with these two objects

ACL =a ccess-list NO_NAT_SITE-TO-SITE extended permit ip object-group Acme_Remote_Asia object-group AcmeCom

object-group network Acme_Remote_Asia
group-object Acme_Singapore
group-object Acme_Taiwan
group-object Acme_Malaysia
group-object Acme_India
group-object Acme_Hong_Kong_2
group-object Acme_Hong_Kong_1
group-object Acme_Thailand
group-object Acme_China_1
group-object Acme_New_Zealand

object-group network Acme_China_2
description xx.180.30.128/27_Office
network-object xx.180.30.128 255.255.255.224

Message was edited by: Lloyd Tobias

Federico Coto Fajardo · ‎09-13-2010

The problem is when you add those IPs (in the object-group).

Is that object-group being referenced by a NAT command or ACL somewhere?

Are the IPs that you're adding to the object-group part of the router itself (represents an IP from the router)?

Federico.

Lloyd_Tobias · ‎09-13-2010

No they are both related to remote networks connected thro

ugh VPN so the are ralated to NAT rules once they are added to

the individual groups.