02-22-2019 03:46 AM - edited 02-22-2019 03:47 AM
Hi, all.
I have Cisco ASA 5515X with installed REST-API agent
asa# sh run | i rest
rest-api image disk0:/asa-restapi-132325-lfbff-k8.SPA
rest-api agent
Using ASDM I can successfully create copy of ACE in ACL, I mean that I can in ACL create two absolutely equal ACEs.
When I'm trying to create copy of existing ACE in the same ACL using REST API, I'm getting the following error:
stdClass Object (
[messages] => Array (
[0] => stdClass Object ( [level] => Error [code] => DUPLICATE [context] => objectId [details] => 1178952304 ) )
)
So, Is there any way to create two equal ACEs in one ACL using REST API?
Solved! Go to Solution.
02-25-2019 03:25 AM
I am trying to reproduce your error with the following ACE (in command line format).
and I try to check on the GET result to see whether is look similar to yours.
It look similar! so I go ahead to reproduce your issue:
I got your issue now. That's look like is the BUG. Because if you are using "enhanced object groups" (wrapping services into object-group), the sourceService will be set to "ip" while the destination is objectRef#TcpUdpServiceObj. The mismatching protocol caused the error message.
So, if your object-group (E.g. tcp-1024-65535) contains only TCP service, you could use the following method as a workaround. You also specify the protocol value at the first time.
Then it will work.
If your object contains multiple protocols (E.g. UDP + TCP), you can still set the PATCH like below even through it contains both TCP/UDP.
{
"position": 2,
"sourceService": {
"value": "tcp"
}
}
You are recommended to open a TAC case to report this bug for a fix.
02-25-2019 03:41 AM
Yes, you absolutely right.
A must also note the following:
1) If I create such ACE (as in my example) using ASDM, then ACE is created with "IP" as SourceService.
2) But if I create the same ACE using API, then ACE is created with "TCP" as SourceService
=)
So, you can face with this BUG only if you created you ACE ins ASDM or CLI, and after that you trying to PATCH it using API.
If you have created ACE using API all will be ok, because using API ASA modify sourceService accordinly.
02-22-2019 03:57 AM
02-22-2019 04:25 AM - edited 02-22-2019 05:39 AM
Yes, now I try to create duplicate ACE using CLI and get following message:
"WARNING: <anyconnect_test_api_acl> found duplicate element"
So, using CLI I also cannot create copy of existing ACE in the same ACL.
Now I try to explain why it so important for me.
I develop Web-application for our security-team to alllow our security guys manage ACLs without deep knowledge of how doing this in ASA CLI.
Security team ask me to develop feature, that allow them to reorder ACEs in ACL using web interface.
So, in Cisco ASA REST-API documentation there is "PATCH" method for "/api/objects/extendedacls/{aclName}/aces", and documentation exaples says, that I can modify "position" of existing ACE in ACL.
We start to use this method for ACE reordering, but faced with following problem: if ACE has different source and destination service defined (here I must to note that when I create ACE, I allways define destination service only), when I try to use "PATCH" method for changing ACE position, I'm getting the following error:
string(155) "{"messages":[{"level":"Error","code":"ACCESS-SRC-DST-SERVICE-SAME-TYPE","details":"Destination Service and Source Service should have the same protocol"}]}"
Why Cisco imposed such restriction on API?
And is there any workaround?
P.S. Why this message was marked as spam? I wrote about things that I want to understand. And I am not writing a lie.
02-22-2019 05:48 AM
Yes, now I try to create duplicate ACE using CLI and get following message:
"WARNING: <anyconnect_test_api_acl> found duplicate element"
So, using CLI I also cannot create copy of existing ACE in the same ACL.
Now I try to explain why it so important for me.
I develop Web-application for our security-team to alllow our security guys manage ACLs without deep knowledge of how doing this in ASA CLI.
Security team ask me to develop feature, that allow them to reorder ACEs in ACL using web interface.
So, in Cisco ASA REST-API documentation there is "PATCH" method for "/api/objects/extendedacls/{aclName}/aces", and documentation exaples says, that I can modify "position" of existing ACE in ACL.
We start to use this method for ACE reordering, but faced with following problem: if ACE has different source and destination service defined (here I must to note that when I create ACE, I allways define destination service only), when I try to use "PATCH" method for changing ACE position, I'm getting the following error:
"{"messages":[{"level":"Error","code":"ACCESS-SRC-DST-SERVICE-SAME-TYPE","details":"Destination Service and Source Service should have the same protocol"}]}"
Why Cisco imposed such restriction on API?
And is there any workaround?
P.S. Why this message was marked as spam? I wrote about things that I want to understand. And I am not writing a lie.
02-25-2019 12:41 AM - edited 02-25-2019 12:42 AM
Here is example of existing ACE JSON structure:
{
"kind":"object#ExtendedACE",
"selfLink":"https://x.x.x.x/api/access/in/TP/rules/556116732",
"permit":true,
"sourceAddress":{
"kind":"objectRef#NetworkObj",
"refLink":"https://x.x.x.x/api/objects/networkobjects/MA_TP",
"objectId":"MA_TP"
},
"destinationAddress":{
"kind":"objectRef#NetworkObjGroup",
"refLink":"https://x.x.x.x/api/objects/networkobjectgroups/ma-vnc",
"objectId":"ma-vnc"
},
"sourceService":{
"kind":"NetworkProtocol",
"value":"ip"
},
"destinationService":{
"kind":"objectRef#TcpUdpServiceObj",
"refLink":"https://x.x.x.x/api/objects/networkservices/tcp-1024-65535",
"objectId":"tcp-1024-65535"
},
"active":true,
"remarks":[],
"ruleLogging":{
"logStatus":"Default",
"logInterval":300
},
"position":2,
"isAccessRule":true,
"objectId":"556116732"
}
Now I'm trying to PATCH this ACE to renumber it. And here I get this:
@ngkin2010 Can you reproduce this?
02-25-2019 03:25 AM
I am trying to reproduce your error with the following ACE (in command line format).
and I try to check on the GET result to see whether is look similar to yours.
It look similar! so I go ahead to reproduce your issue:
I got your issue now. That's look like is the BUG. Because if you are using "enhanced object groups" (wrapping services into object-group), the sourceService will be set to "ip" while the destination is objectRef#TcpUdpServiceObj. The mismatching protocol caused the error message.
So, if your object-group (E.g. tcp-1024-65535) contains only TCP service, you could use the following method as a workaround. You also specify the protocol value at the first time.
Then it will work.
If your object contains multiple protocols (E.g. UDP + TCP), you can still set the PATCH like below even through it contains both TCP/UDP.
{
"position": 2,
"sourceService": {
"value": "tcp"
}
}
You are recommended to open a TAC case to report this bug for a fix.
02-25-2019 03:41 AM
Yes, you absolutely right.
A must also note the following:
1) If I create such ACE (as in my example) using ASDM, then ACE is created with "IP" as SourceService.
2) But if I create the same ACE using API, then ACE is created with "TCP" as SourceService
=)
So, you can face with this BUG only if you created you ACE ins ASDM or CLI, and after that you trying to PATCH it using API.
If you have created ACE using API all will be ok, because using API ASA modify sourceService accordinly.
02-22-2019 05:43 AM
Yes, now I try to create duplicate ACE using CLI and get following message:
"WARNING: <anyconnect_test_api_acl> found duplicate element"
So, using CLI I also cannot create copy of existing ACE in the same ACL.
Now I try to explain why it so important for me.
I develop Web-application for our security-team to alllow our security guys manage ACLs without deep knowledge of how doing this in ASA CLI.
Security team ask me to develop feature, that allow them to reorder ACEs in ACL using web interface.
So, in Cisco ASA REST-API documentation there is "PATCH" method for "/api/objects/extendedacls/{aclName}/aces", and documentation exaples says, that I can modify "position" of existing ACE in ACL.
We start to use this method for ACE reordering, but faced with following problem: if ACE has different source and destination service defined (here I must to note that when I create ACE, I allways define destination service only), when I try to use "PATCH" method for changing ACE position, I'm getting the following error:
string(155) "{"messages":[{"level":"Error","code":"ACCESS-SRC-DST-SERVICE-SAME-TYPE","details":"Destination Service and Source Service should have the same protocol"}]}"
Why Cisco imposed such restriction on API?
And is there any workaround?
P.S. Why this message was marked as spam? I wrote about things that I want to understand. And I am not writing a lie.
02-22-2019 08:19 AM
02-22-2019 08:59 AM - edited 02-22-2019 09:01 AM
I have did a quick lab, and it works well for me. using PATCH request to swap the position as show in the figure.
Discover and save your favorite ideas. Come back to expert answers, step-by-step guides, recent topics, and more.
New here? Get started with these tips. How to use Community New member guide