Buy or Renew
Buy or Renew
Cisco + Splunk: It’s a new day for your data. Learn more.
 
cancel
Turn on suggestions
Auto-suggest helps you quickly narrow down your search results by suggesting possible matches as you type.
Showing results for 
Search instead for 
Did you mean: 
cancel
Start a conversation
1956
Views
0
Helpful
2
Replies

EEM Script producing warning's on standby ASA unit

kyle.wingate
Level 1
Level 1

‎05-02-2019 03:30 PM

I am new to this forum.  If this needs to be moved that is fine.

 

Our organization is working on implementing Office 365.  I am in charge of the networking end of it.  We are running a pair if ASA5525-X in active / standby mode.  I found a script that pulled the list of ip addresses from Microsoft and put them into ASA format.  I then add a line at the top of the file to create an object in the ASA.  I pull the file off our tftp server to running config via EEM script to create the 0ffice 365 object on the ASA.  The tftp to running config happens after deleting all the current config lines via the EEM script.  Everything seems to work.  However, I get an warning on the standby ASA.

The error on the standby ASA is:

WARNING: Adding obj (network-object X.X.X.X 255.255.128.0) to grp (o365) failed; object already exists

This warning happens for every line in the object group, that is being created by the text file that I copy to the running config.

sho ver on ASA:

Cisco Adaptive Security Appliance Software Version 9.10(1)
Firepower Extensible Operating System Version 2.4(1.103)
Device Manager Version 7.10(1)

EEM Script:

sho event manager:

event manager applet update-office-365-IPs, hits 31, last 2019/05/02 02:00:07
last file none
event absolute 2:00:00, left 36241 secs, hits 3, last 2019/05/02 02:00:02 timer syncs 4
action 1 cli command "no nat (inside,outside) after-auto source dynamic obj-X.X.X.X obj-X.X.X.X destination static o365 o365", hits 8, last 2019/05/02 02:00:02
action 2 cli command "no access-list inside extended permit ip any object-group o365", hits 8, last 2019/05/02 02:00:02
action 3 cli command "no object-group network o365", hits 8, last 2019/05/02 02:00:02
action 4 cli command "copy /noconfirm tftp://X.X.X.X/asa-o365-object.txt running-config", hits 31, last 2019/05/02 02:00:02
action 5 cli command "nat (inside,outside) after-auto 1 source dynamic obj-X.X.X.X obj-X.X.X.X destination static o365 o365", hits 7, last 2019/05/02 02:00:07
action 6 cli command "access-list inside extended permit ip any object-group o365", hits 8, last 2019/05/02 02:00:07
action 7 cli command "write memory", hits 31, last 2019/05/02 02:00:07

This script works just fine, and when copy pasted line by line, does not produce the error.  

The text file that I am pulling into the ASA starts like this:

object-group network o365test
network-object X.X.X.X

There are many Cisco formatted lines in it, and they all seem to get put into the object-group just fine.

I did contact Cisco, and my engineer had the comment below, and pointed me to this forum:

I replicated the issue and I was able to see that in our lab the same thing happens in the standby device, at this point I was researching on this and I did not find so much information about this problem, so I am going to advised you to use the Cisco forums as this feature is actually not supported by Cisco TAC, in this case this are the links to go to the forums:

Cisco TAC does not support nor create these types of scripts for customers. For any questions or suggestions you can reach out to the support community.

 

Could this be happening because the EEM script is running on both units at the same time and when the command on the active runs it tries to sync to the standby and that is why I am getting the warning?

Is there a way to not have the standby unit run the script, and just rely on the primary unit to do it?

Is this anything to really worry about?

 

Labels:
0 Helpful
2 Replies 2

balaji.bandi
Hall of Fame
Hall of Fame

‎05-02-2019 08:14 PM

I have not tried that script, but i do work with many EEM Script.

 

Just Technical / Implementation  Point of view. Active / Standby  - We always do change in Active, so Active Automatically sync the config to Stanby Unit.

In your case just do the config on Active and let Active Sync the config to Standby ?  To verify this  After Few Minutes download both the cofig if you like to and compare is that working as expected and config sync.

 

Personally i do not believe you need to make any changes in Secondary ( Standby Unitl here in your case).

 

Make sense ?

 

BB

***** Rate All Helpful Responses *****

How to Ask The Cisco Community for Help

0 Helpful

inge_arnesen
Level 1
Level 1
In response to balaji.bandi

‎01-21-2020 04:51 AM

This is an ASA bug and has been there for many years. When you enter an existing object into an object-group on the active firewall, nothing is printed on the console of the active unit, but the console of the standby unit complains this way:

 

WARNING: Adding obj (network-object XXXXXXXX  XXXXXXXX) to grp (XXXXXXX) failed; object already exists

 

For an ASA with many scripted changes, this makes the console on the standby unit unusable.

 

0 Helpful
Customers Also Viewed These Support Documents