topic Thanks Marvin. in Network Security

ASDM View after OS upgrade

Philip Brown — Tue, 12 Mar 2019 08:55:02 GMT

Hi, after recently upgrading the OS on a 5585, running multiple security contexts, to v. 9.4(4), the viewable information presented in the access rules has changed !

The User and Security Group columns in all of the contexts have suddenly become populated.

Trustsec is not enabled but, I see that User Identitiy under the identity options has been set to enabled.

If I open a rule for editing, there is nothing to be seen in the User and Security Group fields although the ASDM view shows host and/or network objects.

There is nothing unusual to be seen in the ACL's when they are listed on the CLI either.

Any ideas ?

Thanks, Phil

I have a similar problem on a

MarcBrechbuehl — Mon, 13 Feb 2017 07:19:08 GMT

I have a similar problem on a 5555 after the OS upgrade to 9.4(4) (from 9.4(3)) and ASDM to 7.7(1) (from 7.6(2)-150):
In ASDM the views of Access Rules the User and Security Group columns suddenly have entries, in the edit window the fields are blank, and on the CLI there are no entries for User and Security Groups.

I backed out ASDM to version 7.6(2)-150 and have the correct view of User and Security Group columns again. So I assume there is a problem with ASDM version 7.7(1).

Cheers,
Katrin

I had the same experience. I

Marvin Rhoads — Mon, 13 Feb 2017 08:13:24 GMT

I had the same experience. I believe it's a bug in ASDM 7.7(1).

hi marvin,

johnlloyd_13 — Mon, 13 Feb 2017 08:26:00 GMT

hi marvin,

i'm about to upgrade an ASA5525x and its ASDM to 7.7.1. is the bug confirmed? got a link?

also, do you advise to go for image asa943-12-smp-k8.bin or asa924-18-smp-k8.bin coz both are preferred/have stars on it?

any major difference between the two? why a big jump on the image version?

No confirmation of the bugid

Marvin Rhoads — Mon, 13 Feb 2017 08:41:24 GMT

No confirmation of the bugid - just three of us reporting the exact same thing. I'll open a case later this week to have TAC confirm. A current bug search doesn't show it; but I suspect it's internally known and just not public-facing yet while development identifies the root cause

I've been going with 9.4(3-12). They are both from November 2016 and 9.4 train has a number of new features not in 9.2. They both have more or less the same security bug fixes (CVEs).

For customers not quite as conservative I've been using the latest 9.6 interim release. I'm waiting for Cisco to denote a 9.6 release with the gold star.

+5

johnlloyd_13 — Mon, 13 Feb 2017 08:53:12 GMT

thanks! will go for 9.4.3 then.

This still seems to be a

Darren Wilders — Fri, 17 Mar 2017 11:42:24 GMT

This still seems to be a problem with ASDM 7.7(1)150 released on the 9th March 2017.

It'll usually display the source IP in the user/group column - and if you click it, it'll change the value to "any" or to nothing or blank out part of what was there. If you hover over it, it'll often include information from an object related to a different rule. It's quite random.

Unfortunately, it's not always possible to downgrade to ASDM 7.6 - we're using FirePOWER Services 6.2.0 which has a minimum ASDM requirement of 7.7(1)+.

I'll probably raise a TAC request to see if they're aware of the problem - bearing in mind 7.7(1) was released on the 23rd January 2017, it seems a long time for a bug like this to not be even acknowledged.

@Darren Wilders ,

Marvin Rhoads — Fri, 17 Mar 2017 12:00:51 GMT

darrenwilders ,

Yes I am still seeing it on the new interim ASDM release as well.

The ASDM 7.7(1)+ with FirePOWER 6.2 requirement is only if you are using the ASDM-based FirePOWER management.

If you are registered to FirePOWER Management Center you can run the older ASDM version.

Thanks Marvin.

Darren Wilders — Wed, 29 Mar 2017 17:02:26 GMT

Thanks Marvin.

We have now deployed FMC for the FirePOWER module, so we no longer need ASDM for that - therefore, we have now to downgraded to ASDM 7.6(2)150 so access rules all display OK again.

Hi,

Pascal Martin — Fri, 05 May 2017 09:48:07 GMT

Hi,

i've the same problem with this versions :

asdm-771-151

asa971-8-smp-k8

Until Cisco fixes this

Marvin Rhoads — Fri, 05 May 2017 09:54:42 GMT

Until Cisco fixes this cosmetic bug with a new release (probably not until June), you must either downgrade to 7.6(2) or use the cli to be certian about ACL contents.

If you open a TAC case you may be able to get them to provide a work around image.

FYI - This is fixed in asdm 7

Flarkus — Thu, 22 Jun 2017 12:55:32 GMT

FYI - This is fixed in asdm 7.8(1)150

Yes - this was documented in

Marvin Rhoads — Thu, 22 Jun 2017 13:11:32 GMT

Yes - this was documented in the ASDM 7.8 Release Notes:

http://www.cisco.com/c/en/us/td/docs/security/asdm/7_8/release/notes/rn78.html#reference_z32_grc_mz

The BugID is here:

https://bst.cloudapps.cisco.com/bugsearch/bug/CSCvc92151