ASA ≥ 9.18.4.x: object dependency checks are broken

Bernd Nies · ‎06-03-2024

I noticed a new odd behaviour of ASA 9.18.4.22. Object-group and object duplicate and dependency checks no longer work. It used to complain when one edits an object-group and adds an object that already existed. Now nothing shown at all. Also it used to complain when deleting an object that it could not be deleted because it was still in use by an object-group or an access-list.

firewall1/context2/act# show run object-group id Some-Object-Group
object-group network Some-Object-Group
network-object 1.0.0.0.0 255.0.0.0
network-object 2.0.0.0.0 255.0.0.0
network-object 3.0.0.0.0 255.0.0.0

firewall1/context2/act#  conf t
firewall1/context2/act(config)# object-group network Some-Object-Group
firewall1/context2/act(config-network-object-group)#  network-object 3.0.0.0.0 255.0.0.0
firewall1/context2/act(config-network-object-group)# exit

On a firewall with an older release (e.g. Version 9.16(3)23) adding a duplicate network-object shows a warning like this:

WARNING: Adding obj (network-object 3.0.0.0 255.0.0.0) to grp (Some-Object-Group) failed; object already exists

Don't know if that was before on that version, but definitely not on a version prior to 9.18.4.x. We don't have this behaviour on ASA firewalls running 9.16.x.

On ASA 9.18.4.24 deleting an network-object that was used in an object-group showed no error that the network-object is still used in an object-group. Instead ASA adds a duplicate network-object in same object-group:

firewall1/context2/act(config)# show run object-group id dummy-group-1
object-group network dummy-group-1
 network-object object dummy-object-1
 network-object object dummy-object-2

firewall1/context2/act(config)# show run object id dummy-object-1
object network dummy-object-1
 host 1.0.0.0

firewall1/context2/act(config)# show run object id dummy-object-2
object network dummy-object-2
 host 2.0.0.0

firewall1/context2(config)# no object network dummy-object-1

firewall1/context2(config)# show run object-group id dummy-group-1
object-group network dummy-group-1
 network-object object dummy-object-1
 network-object object dummy-object-2
 network-object object dummy-object-1

Removing duplicate causes firewall to panic and reboot.

firewall1/context2/act(config)# object-group network dummy-group-1
firewall1/context2/act(config-network-object-group)# no  network-object object dummy-object-1

Coredump starting....
Corehelper: /opt/cisco/csp/cores/core.lina.10.1266.1717407923
Waiting for Corehelper to finish....
Livecore: generating coredump of 1266
[New LWP 1377]
[New LWP 1378]
[New LWP 1379]
[New LWP 1380]
[New LWP 1382]
[New LWP 1383]
[New LWP 1384]
[New LWP 1385]
[New LWP 1386]
[New LWP 1387]
[New LWP 1388]
[New LWP 1389]
[New LWP 1390]
[New LWP 1391]
[New LWP 1392]
[New LWP 1393]
[New LWP 1394]
0x000000fff79a474c in pthread_cond_timedwait () from /lib64/libpthread.so.0
warning: target file /proc/1266/cmdline contained unexpected null characters

Bernd Nies · ‎06-11-2024

Does somebody else encounter this bug or know in which release it will be fixed? We have it on ASA 9.18.4.22.

Bernd Nies · ‎06-11-2024

It also affects objects and object-groups used by access-lists. An object or object-group used by an access-list can be removed without an error. The access-list line still exists, but points to a non-existing object or object group.

Bernd Nies · ‎06-16-2024

I setup today an ASAv from scratch on our VMware environment for testing various releases. Upgraded from ASAv 9.12.3.12 to 9.16.4. There all the object dependencies check still work. After upgrading to base 19.18.4 and then also latest interim 9.18.4.29. Dependency checks do not work. Same issue with 9.20.2.22.

That bug is in the entire ASA release from 19.18.4 and above!

tvotna · ‎06-17-2024

Please tell us bug id if TAC opens one.

Bernd Nies · ‎06-17-2024

I will. They probably name the bug after me. I found so many.