https://community.cisco.com/t5/network-security/specified-access-list-does-not-exist-asa-5505/m-p/881609#M957645 <HTML><HEAD></HEAD><BODY><P>If you are trying to remove the entire access list you will need to type:</P><P></P><P>clear configure access-list 101</P><P></P><P></P></BODY></HTML> Fri, 04 Jan 2008 14:11:21 GMT adam.sellhorn 2008-01-04T14:11:21Z https://community.cisco.com/t5/network-security/specified-access-list-does-not-exist-asa-5505/m-p/881608#M957644 <P>Hello,</P><P></P><P>I'm having a little bit of a problem trying to remove an access list that includes object groups. When I try to remove an access list with the "no" proceeding the access list it give me this error: Specified access-list does not exist.</P><P></P><P>The reason I tried deleting the access list is because even after adding IP addresses to a object group, it wasn't giving me the desired results. </P><P></P><P>As I stated earlier, I tried deleting the ACL with no luck, but I am able to add the exact ACL into the config which allows me to use the object groups with the desired effect.</P><P></P><P>Here is my current config, or at least parts that are relevant:</P><P></P><P>ASA Version 7.2(2)</P><P></P><P>....</P><P></P><P>object-group network allowed</P><P> network-object xx.xx.222.0 255.255.255.0</P><P> network-object xx.xx.190.4 255.255.255.255</P><P> network-object xx.xx.169.150 255.255.255.255</P><P> network-object xx.xx.67.202 255.255.255.255</P><P> network-object xx.xx.190.12 255.255.255.255</P><P>object-group service web tcp</P><P> port-object eq www</P><P> port-object eq https</P><P>object-group service asterisk udp</P><P> port-object eq sip</P><P> port-object eq 4569</P><P> port-object eq 5036</P><P>access-list 101 extended permit udp any gt 1023 interface outside object-group asterisk </P><P>access-list 101 extended permit tcp object-group allowed gt 1023 interface outside object-group web </P><P>access-list 101 extended permit tcp object-group allowed gt 1023 interface outside eq ssh </P><P>access-list 101 extended permit tcp object-group allowed gt 1023 interface outside eq ssh</P><P>....</P><P>: end</P><P></P><P></P><P>show ver:</P><P>Cisco Adaptive Security Appliance Software Version 7.2(2) </P><P>Device Manager Version 5.2(2)</P><P>....</P><P></P><P></P><P>I work for an ISP so I have access to other hardware, and this problem is happening on multiple ASA firewalls, so I'm assuming its a bug in the IOS, but I could be wrong. Any help would be greatly appreciated.</P><P></P> Mon, 11 Mar 2019 11:43:33 GMT https://community.cisco.com/t5/network-security/specified-access-list-does-not-exist-asa-5505/m-p/881608#M957644 switchtower 2019-03-11T11:43:33Z https://community.cisco.com/t5/network-security/specified-access-list-does-not-exist-asa-5505/m-p/881609#M957645 <HTML><HEAD></HEAD><BODY><P>If you are trying to remove the entire access list you will need to type:</P><P></P><P>clear configure access-list 101</P><P></P><P></P></BODY></HTML> Fri, 04 Jan 2008 14:11:21 GMT https://community.cisco.com/t5/network-security/specified-access-list-does-not-exist-asa-5505/m-p/881609#M957645 adam.sellhorn 2008-01-04T14:11:21Z https://community.cisco.com/t5/network-security/specified-access-list-does-not-exist-asa-5505/m-p/881610#M957646 <HTML><HEAD></HEAD><BODY><P>If you are trying to remove the entire access list you will need to type:</P><P></P><P>clear configure access-list 101</P><P></P><P></P></BODY></HTML> Fri, 04 Jan 2008 14:27:58 GMT https://community.cisco.com/t5/network-security/specified-access-list-does-not-exist-asa-5505/m-p/881610#M957646 adam.sellhorn 2008-01-04T14:27:58Z https://community.cisco.com/t5/network-security/specified-access-list-does-not-exist-asa-5505/m-p/881611#M957647 <HTML><HEAD></HEAD><BODY><P>Hello,</P><P></P><P>I'm only trying to remove this ACL:</P><P></P><P>access-list 101 extended permit tcp object-group allowed gt 1023 interface outside eq ssh</P><P></P><P>As you can see, it's in the configuration twice. When I try to remove it with:</P><P></P><P>no access-list 101 extended permit tcp object-group allowed gt 1023 interface outside eq ssh</P><P></P><P>it will delete one, but not both.</P></BODY></HTML> Fri, 04 Jan 2008 15:57:44 GMT https://community.cisco.com/t5/network-security/specified-access-list-does-not-exist-asa-5505/m-p/881611#M957647 switchtower 2008-01-04T15:57:44Z https://community.cisco.com/t5/network-security/specified-access-list-does-not-exist-asa-5505/m-p/881612#M957649 <HTML><HEAD></HEAD><BODY><P>I think he means he's only trying to remove that single ace. You may want to try removing the entire acl and recreating it.</P></BODY></HTML> Fri, 04 Jan 2008 16:04:04 GMT https://community.cisco.com/t5/network-security/specified-access-list-does-not-exist-asa-5505/m-p/881612#M957649 acomiskey 2008-01-04T16:04:04Z https://community.cisco.com/t5/network-security/specified-access-list-does-not-exist-asa-5505/m-p/881613#M957651 <HTML><HEAD></HEAD><BODY><P>That is a very strange issue as it shouldn't of allowed you to put duplicate entries in your ACL. I would recommend clearing the ACL and rebuilding it. </P></BODY></HTML> Fri, 04 Jan 2008 16:05:01 GMT https://community.cisco.com/t5/network-security/specified-access-list-does-not-exist-asa-5505/m-p/881613#M957651 adam.sellhorn 2008-01-04T16:05:01Z https://community.cisco.com/t5/network-security/specified-access-list-does-not-exist-asa-5505/m-p/881614#M957652 <HTML><HEAD></HEAD><BODY><P>Initial I tried removing the single instance of this ACL when it wouldn't accept any changes that I made to the access group. Since I couldn't remove it, I wanted to see what would happen if I re-entered it into the config. It accepted it, I can delete the previously created one, but still cannot delete the older one. </P><P></P><P>I don't want to remove ACL 101. I want to know why I'm having this problem. This isn't the first ASA 5505 I've had this exact problem with. I thought it was initially maybe something wrong with the IOS, so I switched to a new ASA, but I'm still experiencing the same problems. </P><P></P><P>The initial configuration is fine, I can add and delete from the access group with the changes taking effect immediately, and I can add and remove ACL without a problem. It's only after the firewall has been running for a few months that this problem seems to occur. It is also connected to a cable modem, I don't know if that makes any difference. It shouldn't.</P></BODY></HTML> Fri, 04 Jan 2008 17:59:12 GMT https://community.cisco.com/t5/network-security/specified-access-list-does-not-exist-asa-5505/m-p/881614#M957652 switchtower 2008-01-04T17:59:12Z https://community.cisco.com/t5/network-security/specified-access-list-does-not-exist-asa-5505/m-p/881615#M957653 <HTML><HEAD></HEAD><BODY><P>Hi Switchtower,</P><P></P><P>Did you ever get to the bottom of this? I am experiencing the same issue so I'd be keen to see if you found a reosultion beyond rebuilding the ACL.</P><P></P><P>Cheers</P><P>Scott</P></BODY></HTML> Wed, 20 Oct 2010 22:40:07 GMT https://community.cisco.com/t5/network-security/specified-access-list-does-not-exist-asa-5505/m-p/881615#M957653 Scott Cannon 2010-10-20T22:40:07Z https://community.cisco.com/t5/network-security/specified-access-list-does-not-exist-asa-5505/m-p/881616#M957655 <HTML><HEAD></HEAD><BODY><P>Hello People,</P><P></P><P>I need to get my eyes into this, would you please (if you have time for a maintenance window) reload any of these devices that are having the problem? Are all of them running the same code?</P><P></P><P>Ill try to get this resolve together with you.</P><P></P><P>Cheers</P><P></P><P>Mike</P></BODY></HTML> Thu, 21 Oct 2010 04:22:37 GMT https://community.cisco.com/t5/network-security/specified-access-list-does-not-exist-asa-5505/m-p/881616#M957655 Maykol Rojas 2010-10-21T04:22:37Z https://community.cisco.com/t5/network-security/specified-access-list-does-not-exist-asa-5505/m-p/881617#M957657 <HTML><HEAD></HEAD><BODY><P>Sorry Mike,</P><P></P><P>These untis are live production with 1 hour downtime window a month and its at an ungodly hour. When the oppurtunity arises I will try this reload and let everyone know how it goes.</P><P></P><P>Cheers</P><P>Scott</P></BODY></HTML> Thu, 21 Oct 2010 06:10:10 GMT https://community.cisco.com/t5/network-security/specified-access-list-does-not-exist-asa-5505/m-p/881617#M957657 Scott Cannon 2010-10-21T06:10:10Z https://community.cisco.com/t5/network-security/specified-access-list-does-not-exist-asa-5505/m-p/881618#M957659 <HTML><HEAD></HEAD><BODY><P>Scott,</P><P></P><P>If you are running ASA 7.2 like the original poster, this issue might be caused by CSCsg08640. An upgrade to the latest 7.2 image should take care of the problem.</P><P></P><P>Hope that helps.</P><P></P><P>-Mike</P></BODY></HTML> Thu, 21 Oct 2010 15:14:06 GMT https://community.cisco.com/t5/network-security/specified-access-list-does-not-exist-asa-5505/m-p/881618#M957659 mirober2 2010-10-21T15:14:06Z https://community.cisco.com/t5/network-security/specified-access-list-does-not-exist-asa-5505/m-p/881619#M957663 <HTML><HEAD></HEAD><BODY><P>Thanks Mike, thats probably it - I'm running 7.0.6 (gasp!) Time for an upgrade then.</P><P></P><P>Cheers</P><P>Scott</P></BODY></HTML> Thu, 21 Oct 2010 22:19:31 GMT https://community.cisco.com/t5/network-security/specified-access-list-does-not-exist-asa-5505/m-p/881619#M957663 Scott Cannon 2010-10-21T22:19:31Z https://community.cisco.com/t5/network-security/specified-access-list-does-not-exist-asa-5505/m-p/881620#M957664 <HTML><HEAD></HEAD><BODY><P>It would be a good idea also to try the workaround to make sure that we are hitting the bug, then the upgrade can be done. It all depends on you now <SPAN __jive_emoticon_name="grin" __jive_macro_name="emoticon" class="jive_macro jive_emote" src="https://community.cisco.com/images/emoticons/grin.gif"></SPAN></P><P></P><P>Cheers </P><P></P><P>Mike</P></BODY></HTML> Fri, 22 Oct 2010 03:39:50 GMT https://community.cisco.com/t5/network-security/specified-access-list-does-not-exist-asa-5505/m-p/881620#M957664 Maykol Rojas 2010-10-22T03:39:50Z https://community.cisco.com/t5/network-security/specified-access-list-does-not-exist-asa-5505/m-p/881621#M957666 <HTML><HEAD></HEAD><BODY><P>I can do that easily enough.</P><P>What I'll do is try:</P><P>1. a simple reboot and remove</P><P>2. remove and re-add the ACLfrom the interface and remove the ACE</P><P>3. clear/delete the ACL entirely</P><P>4. OS upgrade</P><P></P><P>If anyone of those succeeds then thats as far as I'll be able to go but I'll do them in that order.</P><P>Give me a few weeks and I'll come back to this thread with my findings.</P><P></P><P>Cheers</P><P>Scott</P></BODY></HTML> Fri, 22 Oct 2010 07:17:48 GMT https://community.cisco.com/t5/network-security/specified-access-list-does-not-exist-asa-5505/m-p/881621#M957666 Scott Cannon 2010-10-22T07:17:48Z