Dear All,

I have ASA 5520 which was running on software version 8.2, I have upgraded it to 8.4.7.

Migration process completed successfully and seems everything went good, I just got one weird issue related to the ACLs associated to object group, below is the explanation before and after the migration:

on the old configs I had something like the below configs:

object-group network Remote_FW
 description Threadneedle remote firewalls
 network-object object FW01
 network-object object FW02
 network-object object FW03
 network-object object FW04

object-group network Internal_Net
 description Internal Networks
 network-object 10.10.102.0 255.255.255.0
 network-object 10.10.104.0 255.255.255.0
 network-object 10.10.105.0 255.255.255.0
 network-object 10.10.122.0 255.255.255.0

access-list outside-in extended permit tcp object-group Remote_FW object-group Internal_Net eq ftp log

After the upgrade to 8.4, I got the access list like:

same objects are there but the access-list becomes:

access-list outside-in remark Migration, ACE (line 3) expanded: permit tcp object-group Remote_FW eq ftp
access-list outside-in extended permit tcp object FW01 10.10.102.0 255.255.255.0 eq ftp log
access-list outside-in extended permit tcp object FW01 10.10.104.0 255.255.255.0 eq ftp log
access-list outside-in extended permit tcp object FW01 10.10.105.0 255.255.255.0 eq ftp log
access-list outside-in extended permit tcp object FW01 10.10.122.0 255.255.255.0 eq ftp log

access-list outside-in extended permit tcp object FW02 10.10.102.0 255.255.255.0 eq ftp log
access-list outside-in extended permit tcp object FW02 10.10.104.0 255.255.255.0 eq ftp log
access-list outside-in extended permit tcp object FW02 10.10.105.0 255.255.255.0 eq ftp log
access-list outside-in extended permit tcp object FW02 10.10.122.0 255.255.255.0 eq ftp log

access-list outside-in extended permit tcp object FW03 10.10.102.0 255.255.255.0 eq ftp log
access-list outside-in extended permit tcp object FW03 10.10.104.0 255.255.255.0 eq ftp log
access-list outside-in extended permit tcp object FW03 10.10.105.0 255.255.255.0 eq ftp log
access-list outside-in extended permit tcp object FW03 10.10.122.0 255.255.255.0 eq ftp log

access-list outside-in extended permit tcp object FW04 10.10.102.0 255.255.255.0 eq ftp log
access-list outside-in extended permit tcp object FW04 10.10.104.0 255.255.255.0 eq ftp log
access-list outside-in extended permit tcp object FW04 10.10.105.0 255.255.255.0 eq ftp log
access-list outside-in extended permit tcp object FW04 10.10.122.0 255.255.255.0 eq ftp log

so it seems to make a separate line for each source against each destination of the objects !!

at the beginning, I though this is the behaviour of the new OS, but I have noticed in different access-list it is using the same object without any issue !!

Any idea why is that ?!