topic Re: FWSM add host into object-group issue in Network Security

FWSM add host into object-group issue

Rojer-bkk — Mon, 11 Mar 2019 19:30:59 GMT

Hi,

I used FWSM on 6500 with software 3.1(3)

When i add hosts or services into exising object-group, firewall don't perform process on exisiting ACL involve that object-group.

I have to remove ACL and re-insert once to activate. I tested on 10 times found issue 7-8 times. I'm sure this is bug or not but i found some bug may be related.

CSCtd78604

FWSM: ACLs missing after adding items to object-groups
Symptom: If adding additional network-objects to object-groups fails with the following error, "access-list" lines may be missing from the config afterwards:

CSCse60868

Modifying an ACL with an object-group could cause ACL corruption

Thanks

Re: FWSM add host into object-group issue

Jennifer Halim — Thu, 06 Jan 2011 09:28:00 GMT

FWSM version 3.1.3 is quite an old version of code.

Can you please check if ACL count has hit the hardware limit? Please share the output of "show np 3 acl stats" from the FWSM.

In any case, it does seem to match bugID CSCtd78604, but it might be a good idea to open a TAC case to further investigate the issue, OR/ I would recommend upgrading the FWSM to at least the latest version of 3.2.x.

Re: FWSM add host into object-group issue

Rojer-bkk — Thu, 06 Jan 2011 10:14:16 GMT

Hi Jennifer,

Thanks for your advised. Here is output from internal-server context

sh np 3 acl stats
----------------------------
    ACL Tree Statistics
----------------------------
Rule count        :    496
Bit nodes (PSCB's):    464
Leaf nodes        :    465
Total nodes       :    929 (max 28356)
Leaf chains       :     42
Total stored rules:    496
Max rules in leaf :      3
Node depth        :     12
----------------------------

Here is output from admin context

sh np 3 acl stats
----------------------------
    ACL Tree Statistics
----------------------------
Rule count        :     45
Bit nodes (PSCB's):     40
Leaf nodes        :     41
Total nodes       :     81 (max 28356)
Leaf chains       :     14
Total stored rules:     55
Max rules in leaf :      3
Node depth        :      9
----------------------------

Re: FWSM add host into object-group issue

Jennifer Halim — Thu, 06 Jan 2011 11:13:04 GMT

That seems to be just fine.

It seems to be that you are hitting one or both the bugs that you mentioned earlier. Please upgrade the FWSM to at least the latest version of 3.2.x.

Re: FWSM add host into object-group issue

Kureli Sankar — Thu, 06 Jan 2011 15:20:05 GMT

The one that you found CSCse60868 is ONE reason why you should upgrade.

This one jumbles the acl and puts the implicit deny on the top of the acl thereby denying all permit traffic.

There was a PSIRT on this one that you can read here: http://www.cisco.com/warp/public/707/cisco-sa-20070214-fwsm.shtml

FWSM code download link:

http://www.cisco.com/cgi-bin/tablebuild.pl/cat6000-fwsm

Click on the All new releases will be available "here"

The latest in the 3.1.x train 3.1.(19)
The latest in the 4.0 train is 4.0.13
The latest in the 3.2 train is 3.2.(19)
The latest in the 4.1 train is 4.1(3)
ASDM is asdm-62(1)f.bin

-KS