Buy or Renew
Buy or Renew
cancel
Turn on suggestions
Auto-suggest helps you quickly narrow down your search results by suggesting possible matches as you type.
Showing results for 
Search instead for 
Did you mean: 
cancel
Start a conversation
751
Views
5
Helpful
4
Replies

ASA 5500-X using ASDM 7.3.101 edit object-group deletes access-list

Go to solution
Rodrigo Belo
Level 1
Level 1

‎12-05-2014 02:22 AM - edited ‎03-11-2019 10:11 PM

Hi all,

 

I have an object-group (OBJ-Customers) with multiple other object-groups (OBJ-client01; OBJ-client02...etc).

When I was adding a new object (OBJ-client0Z) to the main OBJ-Customers, every access-list that had OBJ-Customers got deleted.

 

Now, when I try to add any objects to OBJ-Customers I get an access-list error (file attached), even thow OBJ-Customers is not on any access-list.

Plus, I cannot create any new access-list with OBJ-Customers (it dosent error but the access-list just doesn`t get created, both with ASDM and CLI).

 

How can I troubleshoot/debug this?

Can anywone help me out please??

1 person had this problem
Labels:
Preview file
34 KB
0 Helpful
1 Accepted Solution

Accepted Solutions

Go to solution
Vibhor Amrodia
Cisco Employee
Cisco Employee
In response to Rodrigo Belo

‎12-05-2014 10:17 PM

Hi,

You are running in this Defect:- CSCup28968

I would recommend an upgrade. This command might be important if you have large number of ACE expanded because of the object groups.

If you don't have those many ACL's , you can probably remove it.

Thanks and Regards,

Vibhor Amrodia

 

View solution in original post

4 Replies 4

Go to solution
Vibhor Amrodia
Cisco Employee
Cisco Employee

‎12-05-2014 06:46 AM

Hi,

What is the ASA device version ?

Are you using this command on the ASA device:-

object-group-search access-control

Thanks and Regards,

Vibhor Amrodia

0 Helpful

Go to solution
Rodrigo Belo
Level 1
Level 1
In response to Vibhor Amrodia

‎12-05-2014 07:20 AM

Cisco Adaptive Security Appliance Software Version 9.2(2)4
Device Manager Version 7.3(1)101

 

Yes, I didn`t realised it but I am using "object-group-search access-control" !

Is this a bad thing??

Can the Firewall be hitting some sort of limit with this??

And if so, how can I check it??

"You can reduce the memory required to search access rules by enabling object group search, but this is at the expense rule lookup performance. When enabled, object group search does not expand network objects, but instead searches access rules for matches based on those group definitions. You can set this option using the object-group-search access-control command."

http://www.cisco.com/c/en/us/td/docs/security/asa/asa92/configuration/firewall/asa-firewall-cli/access-rules.html

 

Thanks

0 Helpful

Go to solution
Vibhor Amrodia
Cisco Employee
Cisco Employee
In response to Rodrigo Belo

‎12-05-2014 10:17 PM

Hi,

You are running in this Defect:- CSCup28968

I would recommend an upgrade. This command might be important if you have large number of ACE expanded because of the object groups.

If you don't have those many ACL's , you can probably remove it.

Thanks and Regards,

Vibhor Amrodia

 

Go to solution
Rodrigo Belo
Level 1
Level 1
In response to Vibhor Amrodia

‎12-05-2014 08:04 AM

That was a great pointer Vibhor...

I may be hitting BUG CSCup28968.

https://tools.cisco.com/bugsearch/bug/CSCup28968

 

I will schedulle an change and/or upgrade and let you know later on.

How bad (in performance I mean) would it be if I turned off "object-group-search access-control"?

 

Feel free to give any other opinion you may have.

 

Thanks

0 Helpful
Customers Also Viewed These Support Documents
Review Cisco Networking for a $25 gift card