Buy or Renew
Buy or Renew
Duo Security forums now LIVE! Get answers to all your Duo Security questions. Learn more
cancel
Turn on suggestions
Auto-suggest helps you quickly narrow down your search results by suggesting possible matches as you type.
Showing results for 
Search instead for 
Did you mean: 
cancel
Start a conversation
487
Views
0
Helpful
3
Replies

ASA v9.1 -- disable flagged ACEs would not re-enable w/o reload

pbrunnen
Level 1
Level 1

‎09-01-2013 01:29 PM - edited ‎03-11-2019 07:33 PM

Hello all,

  I recently moved our 5501 from v8.2 up to 9.1...  And I have been getting used to the new format of the ACLs and NAT statemnts.  But I have a puzzle that I can't seem to justify.  Maybe others can help either with something I am doing wrong or maybe confirmation that this is a bug.  I can't find any known bug reports on this or any field notices... but I wanted some feedback before opening a TAC case.

  We were doing a server upgrade last night and we changed our external interface ACLs to set some of our permit rules to disabled while the server was being upgraded.  After the upgrade we took off the disabled flag from the ACEs, but traffic was still being blocked.  The logging output also confirmed that the asa still thought the rule was to block the traffic.

  We had been using the ASDM interface for lazyness for flagging some ACEs as 'disabled' and then removing the flag.  The 'sh run' output appeared fine, so I'm not sure if that should make a difference or not.

  I even removed the access-group entry binding the ACL to the interface and reapplying it, but that stopped all inbound traffic.  The only way we were able to restore access was to reload the asa without saving config changes.

  Anyone else have any ideas?

Cisco Adaptive Security Appliance Software Version 9.1(2)

Device Manager Version 7.1(3)

Any help is appreciated.

Thanks!  -Cheers, Peter.

*P.S. -- as a side note, immediately after the 8.2 -> 9.1 upgrade, we had some strange ACL behavior on some L2L vpn tunnels where all traffic on the L2L tunnel was being blocked and only deleting the entire ACL and reapplying it (using the same rules copy/pased from the startup-config with the same name) resolved the issue.  Very bizzaare in my opinion.

Labels:
0 Helpful
3 Replies 3

Marius Gunnerud
VIP
VIP

‎09-01-2013 01:38 PM

Did you upgrade straight from 8.2 ti 9.1 or did you go to 8.3 first?  Going straight to 9.1 can provide some unexpected results.

Did you change the NAT and ACL statements to conform to the new ASA version.  These days you need to define IP addresses in object groups and then assign those object groups to the NAT and ACLs.

--
Please remember to select a correct answer and rate helpful posts
0 Helpful

pbrunnen
Level 1
Level 1
In response to Marius Gunnerud

‎09-01-2013 02:16 PM

Hi Marius,

   I did go straight from 8.2 to 9.1...  Sadly I hadn't come across any notices about that...

   I had converted all my NAT/PAT statements into object groups, but I had not done that on the ACLs.  I did change the ACLs to use the internal IP (I guess they call that the Real IP now) versus the public one as before.  Do I need to conver the ACLs to use object groups too?

  The part I found the most odd was that everything was working fine... it was the removing of the 'disable' flag on the ACE entries that didn't seem to take effect.

Thanks again! 

  -Cheers, Peter.

0 Helpful

Marius Gunnerud
VIP
VIP
In response to pbrunnen

‎09-01-2013 11:28 PM

are there a lot of ACEs that you are trying to amend?  You could go into the CLI copy out the ACEs in question, remove the ACEs from the ASA, and then re-add the ACEs without the flag and see if that works.

--
Please remember to select a correct answer and rate helpful posts
0 Helpful
Customers Also Viewed These Support Documents
Review Cisco Networking products for a $25 gift card