Buy or Renew
Buy or Renew
cancel
Turn on suggestions
Auto-suggest helps you quickly narrow down your search results by suggesting possible matches as you type.
Showing results for 
Search instead for 
Did you mean: 
cancel
Start a conversation
608
Views
0
Helpful
2
Replies

CSCwm56864 - show run access-list command returns warning

martin-holovic
Level 1
Level 1

‎12-30-2024 05:29 AM

I encountered this bug on firepower 1140 in ASA mode, OS version 9.16.4.62. But for me workaround didn't work. Only way to successfully show access-lists was through more system:/running_config command.

Be aware, because I tried to fix this bug with reload of both boxes in active/standby failover and after reload replication of config file from active to standby unit was not able to correctly copy all of my ACLs except the outside ACL (thank god). All other ACLs were shorter and cut off in seemingly random fashion. Even when I tried to manually force configuration replication through failover reset command, each time the ACLs were different in length. It seems like in the process of config replication ASA using the show running-config commands and because of this bug it was not able to correctly list full ACLs but only random number of lines before warning showed up.

WARNING: OOB Access-list config change detected. Possible modification from,
SSH/Telnet sessions or ASDM/CSM. Hence, Access-list inside
may not be displayed.

Only fix that I found was upgrade to not affected version.

1 person had this problem
Labels:
0 Helpful
2 Replies 2

MHM Cisco World
VIP
VIP

‎12-30-2024 08:09 AM

No functional impact observed. <<- this bug not effect your ASA ACL, so not need to upgrade, the bug explain why show ACL is give this warning message, it come from FQDN not resolve.

MHM

0 Helpful

sebcote1980
Level 1
Level 1

‎03-19-2025 05:31 AM - edited ‎03-19-2025 05:35 AM

Same here, we upgraded multiple ASA pairs with this bug being only esthetic and having no functional impact. But we have one 4115 pair where the behaviour was exactly the same as yours. Not able to use any version impacted by this bug without having random ACL actually disappearing and impacting the related traffic being denied by the missing ACL. As soon as we return to a version not impacted by this bug (9.16(4)57), everything comes back to normal and this is the only way we can have a normal behaviour. There must be something causing this in the configuration but even Cisco support is not able to find why...they even offered to RMA both devices for new ones because they don't know what to do. Even the latest 9.16(4)82, said to have this bug fixed, is not fixed at all...Show run access-list is still showing the warning. And no this is not related to FQDN not resolved.

0 Helpful
Customers Also Viewed These Support Documents