Showing results for 
Search instead for 
Did you mean: 

Edwin Summers

ASA - New policies being "jumbled" when applied

ASA 5585-SSP-40 running v8.4(6)

Configuring using ASDM v7.1(2)

Have run into a few instances where newly-applied policies would become jumbled with other policies.  I've seen this before when multiple admins were applying policies at or near the same time, but it occurred again recently and unable to tell if the policies were applied "simultaneously" or if the jumbled policies were applied at significantly different times.

Symptom:  When a new policy is applied, portions of the policy are "jumbled" with another policy.  For example, a policy applied this morning showed the correct port that was configured, but the configured destination address became the applied source address, and the applied destination address was the destination address of a different policy.

In a separate incident, I had applied a policy that appeared correctly upon application.  Later another admin entered a new policy, and the "Description" from my policy moved from my policy to the new policy.

The only other time I've noticed this was during a time when multiple people were making changes simultaneously in a short period of time.  This time it is unclear how far apart the changes were made, but believed the time span was significant enough to where the issue should not have been a stale configuration in one ASDM session.  I cannot rule that out, however.

Currently looking for bugs in this ASA version and would appreciate any input if this is a known issue or can be reliably reproduced (so we understand the exact causal scenario).

Thanks! -Ed

Jouni Forss


I couldnt find any listed ASDM bugs that would explain what you are seeing.

And "sadly" I am not an ASDM user. I mainly use it for monitoring purposes and some other setting changes that I feel are easier through ASDM.

Personally I would probably start by enabling the command preview in the ASDM preferences and seeing before hand what CLI commands the ASDM is about to enter into the ASA.

I would imagine this should tell if there the ASDM is entering something completely wrong compared to what was entered into the fields.

- Jouni

Thanks, Jouni!  Definitely heeding the advice - we're enabling the command preview and keeping an eye on pre-committed changes for anything odd.

I wish I had become more accustomed to the ASA CLI prior to now.  I'm typically a "CLI-guy", but this new position allowed me to fondle many new devices.  I put those ahead of getting up to speed on the ASA CLI and am slowly getting back to it.  As I'm still using ASDM for many activities (and many one the team will still use it almost exclusively) we'll track it down.  Of course any odd situation will need to be sniffed out, but I suspect this may be someone not refreshing their ASDM instance prior to applying configurations.  We've seen that before but were able to definitively tie it down to an instance where someone applied a stale config.


Recognize Your Peers
Content for Community-Ad