https://community.cisco.com/t5/network-security/access-list-affect/m-p/4634698#M1091065 <P><a href="https://community.cisco.com/t5/user/viewprofilepage/user-id/1298088">@elliot_adlerson</a> yes that is correct and by design.</P> <P>&nbsp;</P> <P>Reference here</P> <P><SPAN class="style-scope yt-formatted-string"><A href="https://www.cisco.com/c/en/us/td/docs/security/asa/asa-cli-reference/A-H/asa-command-ref-A-H/clear-a-to-clear-k-commands.html#wp7335946330" target="_blank">https://www.cisco.com/c/en/us/td/docs/security/asa/asa-cli-reference/A-H/asa-command-ref-A-H/clear-a-to-clear-k-commands.html#wp7335946330</A></SPAN></P> <P>&nbsp;</P> <P>"When you make security policy changes to the configuration, all <EM class="ph i">new</EM> connections use the new security policy. <EM>Existing connections continue to use the policy that was configured at the time of the connection establishment</EM>. To ensure that all connections use the new policy, you need to disconnect the current connections so they can reconnect using the new policy using the<SPAN class="ph synph"> <SPAN class="keyword kwd">clear</SPAN> <SPAN class="keyword kwd">conn</SPAN> </SPAN> command."</P> <P>&nbsp;</P> <P>&nbsp;</P> <P>&nbsp;</P> <P>&nbsp;</P> Mon, 20 Jun 2022 07:44:18 GMT Rob Ingram 2022-06-20T07:44:18Z https://community.cisco.com/t5/network-security/access-list-affect/m-p/4634685#M1091064 <P>I have the following concerns regarding access lists on ASA:</P><P>We've permitted the computer below to access the file server and from the computer, we've opened a doc file and made some changes.</P><P><BR />Computer (192.168.1.10) &gt; ASA &gt; File Server (192.168.2.3)</P><P><BR />while the doc file is still open on the computer, on the ASA I've changed the access list to deny but the interesting thing is the computer can still make changes to the document and save it on the file server.</P><P>Unless I run "clear conn address 192.168.1.10" then the access list change takes effect and block the traffic.</P><P>Why the ASA won't drop the traffic immediately? Is it by design? Is there any official document about this?</P> Mon, 20 Jun 2022 07:21:04 GMT https://community.cisco.com/t5/network-security/access-list-affect/m-p/4634685#M1091064 elliot_adlerson 2022-06-20T07:21:04Z https://community.cisco.com/t5/network-security/access-list-affect/m-p/4634698#M1091065 <P><a href="https://community.cisco.com/t5/user/viewprofilepage/user-id/1298088">@elliot_adlerson</a> yes that is correct and by design.</P> <P>&nbsp;</P> <P>Reference here</P> <P><SPAN class="style-scope yt-formatted-string"><A href="https://www.cisco.com/c/en/us/td/docs/security/asa/asa-cli-reference/A-H/asa-command-ref-A-H/clear-a-to-clear-k-commands.html#wp7335946330" target="_blank">https://www.cisco.com/c/en/us/td/docs/security/asa/asa-cli-reference/A-H/asa-command-ref-A-H/clear-a-to-clear-k-commands.html#wp7335946330</A></SPAN></P> <P>&nbsp;</P> <P>"When you make security policy changes to the configuration, all <EM class="ph i">new</EM> connections use the new security policy. <EM>Existing connections continue to use the policy that was configured at the time of the connection establishment</EM>. To ensure that all connections use the new policy, you need to disconnect the current connections so they can reconnect using the new policy using the<SPAN class="ph synph"> <SPAN class="keyword kwd">clear</SPAN> <SPAN class="keyword kwd">conn</SPAN> </SPAN> command."</P> <P>&nbsp;</P> <P>&nbsp;</P> <P>&nbsp;</P> <P>&nbsp;</P> Mon, 20 Jun 2022 07:44:18 GMT https://community.cisco.com/t5/network-security/access-list-affect/m-p/4634698#M1091065 Rob Ingram 2022-06-20T07:44:18Z https://community.cisco.com/t5/network-security/access-list-affect/m-p/4634714#M1091066 <P><a href="https://community.cisco.com/t5/user/viewprofilepage/user-id/97036">@Rob Ingram</a>&nbsp;</P><P>many thanks for your reply I really appreciate it.</P><P>&nbsp;</P> Mon, 20 Jun 2022 08:17:15 GMT https://community.cisco.com/t5/network-security/access-list-affect/m-p/4634714#M1091066 elliot_adlerson 2022-06-20T08:17:15Z