cancel
Showing results for 
Search instead for 
Did you mean: 
cancel
1687
Views
5
Helpful
7
Replies

Trouble with removing embedded object groups in ASA 5580 code 8.4(4)1

wingchingleung
Level 1
Level 1

Model: Cisco ASA5580-40

Code version: 8.4 (4)1

Device Manager version 6.4(9)

I have been running this code since Jun of 2012 and so far everything seem to be working just fine until recently when I started on a project to clean up some embeded object groups I start running into this wierd error. Our company has been going through somre restructuring process and simplified the VPN groups so I was asked to clean up all the old VPN groups (which happen to be created in ACL objects and embedded within other ACL object groups). This problem seem to be happening on a random basis so I am not sure if it is a bug issue.

To illustrate, for instance  I am trying to delete the embedded office instructure VPN address space

object-group network hosts_able_to_ssh_to_server123

      group-object limited-i_remote_vpn_address_space

      group-object office_infrastructure_remote_vpn_address_space

Normally I only need to get into the object group for ssh to server123 and do a:

asa5580-001-la(config)# object-group network hosts_able_to_ssh_to_server123

asa5580-001-lax06(config-network-object-group)# no group-object office_infrastructure_remote_vpn_address_space

BUT I ran into this error:

Removing obj from object-group (hosts_able_to_ssh_to_server123) failed;

obj does not exist in this group

Has anyone else encountered this error



1 Accepted Solution

Accepted Solutions

Hi,

Does seem that it should work just fine. Especially when we are just removing an "object-group" inside another "object-group"

I went through some Bug IDs and this was the only one I could fine on a quick look that could match with your situation. Then again it doesnt really provide any usefull information either

Click on the picture to view a bigger version of it

Maybe its a bug. Doesnt seem that there is very specific information about it on the site either.

I personally dont remember even using "object-group" inside another "object-group".

I tend to make a single "object-group" containing everything I need.

Naturally one obvious route would be to try some newer software, but who knows, maybe they might even produce some other bug in turn

- Jouni

View solution in original post

7 Replies 7

Jouni Forss
VIP Alumni
VIP Alumni

Hi,

Considering the the names are quite long with both letters,numbers and different special marks, is it possible that there are some typos involved?

Can you provide an example of a situation where you are trying to remove the "group-object" line WHILE also providing the exact configurations of each "object-group".

I have not run into this problem myself.

The most common similiar situation is sometimes when I try to clean up old "object-group" configurations and notice when they are either attached to an active ACL or just some ACL that is configured on the device but not in any kind of use.

- Jouni

Hi JouniForss

Typo was the first thing that came across my mind but I did double check the spelling and they were correct. Here is the exact config of the ACL and the object group

object-group network office_infrastructure_remote_vpn_address_space

network-object 10.20.3.64 255.255.255.240

network-object 10.20.7.64 255.255.255.240

object-group network limited-i_remote_vpn_address_space

network-object 10.40.42.0 255.255.254.0

network-object 10.50.42.0 255.255.254.0

network-object 10.60.42.0 255.255.254.0

object-group network hosts_able_to_ssh_to_server123

      group-object limited-i_remote_vpn_address_space

      group-object office_infrastructure_remote_vpn_address_space

access-list vlan87_out line 15 emark Allow SSH connections to server123

access-list vlan87_out line 16 extended permit tcp object-group hosts_able_to_ssh_to_server123 host 10.6.23.34 eq ssh

  access-list vlan87_out line 16 extended permit tcp 10.40.42.0 255.255.254.0 host 10.6.23.34 eq ssh

  access-list vlan87_out line 16 extended permit tcp 10.50.42.0 255.255.254.0 host 10.6.23.34 eq ssh

  access-list vlan87_out line 16 extended permit tcp 10.60.42.0 255.255.254.0 host 10.6.23.34 eq ssh

  access-list vlan87_out line 16 extended permit tcp 10.20.3.64 255.255.255.240 host 10.6.23.34 eq ssh

  access-list vlan87_out line 16 extended permit tcp 10.20.7.64 255.255.255.240 host 10.6.23.34 eq ssh

So during this clean up project I usually remove the old VPN object group out from each VLAN first before I delete them later on when they are not being in use.

If it was still attached to the active ACL line it will generate another error saying object group is still in use on active ACL. here in this case I am simply trying to take it out from the ssh object group for server123

Hi,

Does seem that it should work just fine. Especially when we are just removing an "object-group" inside another "object-group"

I went through some Bug IDs and this was the only one I could fine on a quick look that could match with your situation. Then again it doesnt really provide any usefull information either

Click on the picture to view a bigger version of it

Maybe its a bug. Doesnt seem that there is very specific information about it on the site either.

I personally dont remember even using "object-group" inside another "object-group".

I tend to make a single "object-group" containing everything I need.

Naturally one obvious route would be to try some newer software, but who knows, maybe they might even produce some other bug in turn

- Jouni

Thank you so much for finding the bug ID but in reviewing the page disclosing on this bug ID

http://tools.cisco.com/Support/BugToolKit/search/getBugDetails.do?method=fetchBugDetails&bugId=CSCti16604

It says it was first found in 8.3 (2.12) and it is supposed to have been fixed for version after it even though I am running into this error in the 8.4 (4)1 which is supposed to have been fixed.

Hi,

I am not sure how those version numbering works.

Most of them seem like some internal Cisco version numbering perhaps.

I wouldnt rule out the possibility of a bug unless the exact used software version mentioned in the "Fixed in" was used

As I said, I havent used this type of "object-group" configurations so I have had no expirience of it. Also if I understood you correctly, this isnt a problem with every similiar operation of removing an "object-group" inside another "object-group".

Even the Bug descriptios/conditions etc would seem to point into a situation where people dont know what is causing it.

Maybe it might even be corrected with a device boot or even just updating to 8.4(5)

- Jouni

I think at this point I will probably be opening a Case with Cisco and get their advise as to what version of code I should be upgrading to for fixing this bug. Thanks.

lyle.cameron
Level 1
Level 1

I have the same issue on a number of ASA5505, 5510 and 5520 firewalls in my environment. ASA v8.4(4)1. What i've found is a reload of the firewall, then try to delete the object again results in the object being deleted as expected.

Getting Started

Find answers to your questions by entering keywords or phrases in the Search bar above. New here? Use these resources to familiarize yourself with the community: