Can't remove port-object from service group.

Ken Stieers · ‎02-27-2017

Running 9.7.1.

Current config looks like this:

object-group service Guest-Wirelss-TCP tcp
group-object ApplePush
port-object range 5228 5230
port-object eq 993
port-object eq ftp
port-object eq www
port-object eq https
port-object eq pcanywhere-data
port-object eq smtp
port-object eq 15000
port-object range 30000 64000
port-object eq 12000

When I try to remove an entry, I get this:

OPUSFW1# config t
OPUSFW1(config)# object-group service Guest-Wireless-TCP tcp
OPUSFW1(config-service-object-group)# no port-object eq 12000
Removing obj from object-group (Guest-Wireless-TCP) failed;
obj does not exist in this group
OPUSFW1(config-service-object-group)#

What am I mssing?

mohanB · ‎02-27-2017

Weird, tried on 9.6.2 with your config, removing port-object works just fine. Maybe something 9.7.1 related.

asa(config)# object-group service Guest-Wirelss-TCP tcp
asa(config-service-object-group)# group-object ApplePush
Specified group object (ApplePush) does not exist
asa(config-service-object-group)# port-object range 5228 5230
asa(config-service-object-group)# port-object eq 993
asa(config-service-object-group)# port-object eq ftp
asa(config-service-object-group)# port-object eq www
asa(config-service-object-group)# port-object eq https
asa(config-service-object-group)# port-object eq pcanywhere-data
asa(config-service-object-group)# port-object eq smtp
asa(config-service-object-group)# port-object eq 15000
asa(config-service-object-group)# port-object range 30000 64000
asa(config-service-object-group)# port-object eq 12000
asa(config-service-object-group)#
asa(config-service-object-group)# no port-object eq 12000
asa(config-service-object-group)#
asa(config-service-object-group)#
asa(config-service-object-group)#
asa(config-service-object-group)# end

asa# sh run object-group
object-group service Guest-Wirelss-TCP tcp
port-object range 5228 5230
port-object eq 993
port-object eq ftp
port-object eq www
port-object eq https
port-object eq pcanywhere-data
port-object eq smtp
port-object eq 15000
port-object range 30000 64000

Ken Stieers · ‎02-27-2017

For anyone looking closely there is a typo in my original post...

Here's a simplified version:

OPUSFW1# config t
OPUSFW1(config)# object-group service TEST tcp
OPUSFW1(config-service-object-group)# port-object eq 993
OPUSFW1(config-service-object-group)# port-object eq ftp
OPUSFW1(config-service-object-group)# port-object eq www
OPUSFW1(config-service-object-group)# port-object eq https
OPUSFW1(config-service-object-group)# no port-obj eq https
Removing obj from object-group (TEST) failed;
obj does not exist in this group

I get that 7.7.1 is leading edge, but who'd have thought they'd break something so fundamental?

Marius Gunnerud · ‎02-27-2017

Is the port-object present when you issue the command show object-group id Guest-Wirelss-TCP ?

What about if you issue the command show run object-group id Guest-Wirelss-TCP ?

--

Please remember to select a correct answer and rate helpful posts

--
Please remember to select a correct answer and rate helpful posts

Ken Stieers · ‎02-27-2017

Yep, its there...

here's a create, show run, try to delete. I'm pretty sure its either a bug or a hidden setting that I missed...

OPUSFW1(config)# object-group service TEST tcp
OPUSFW1(config-service-object-group)# port-object eq 993
OPUSFW1(config-service-object-group)# port-object eq ftp
OPUSFW1(config-service-object-group)# port-object eq www
OPUSFW1(config-service-object-group)# port-object eq https
OPUSFW1(config-service-object-group)# exit
OPUSFW1(config)# exit
OPUSFW1# show run object-group id TEST
object-group service TEST tcp
port-object eq 993
port-object eq ftp
port-object eq www
port-object eq https
OPUSFW1# config t
OPUSFW1(config)# object-group service TEST tcp
OPUSFW1(config-service-object-group)# no port-object eq https
Removing obj from object-group (TEST) failed;
obj does not exist in this group
OPUSFW1(config-service-object-group)#

Ken Stieers · ‎02-27-2017

Its a bug, CSCvd21541