Bug: ASA REST-API bulk operation fail leaves API in inconsistent state
using the bulk API functionality ("/api") on my test ASAv, I tried to add the same rule twice to a new ACL.
The API call failed, as expected, with HTTP 400 and this message:
So far, as expected. But after this fail, the API and the ASA itself were no longer in a consistent state.
A "show access-list" on the ASA did not show any of the rules created, neither the unique one nor the duplicate.
A call to "/api/objects/extendedacls/TEST/aces/" however shows all rule as existing that were processed before the duplicate rule.
At this point, only three ways I found to "fix" it:
1. Reboot the ASA. It will then start with neither of the rules existent in the CLI nor the API
2. Manually creating a valid rule via the CLI. All the said-to-be succesfully created rules from the API will disappear, and only the new rule will exist. It seems that here the CLI will overwrite the state in the API.
3. Successfully(!) creating another rule via the API. This will cause the new API rule to exist in the ASA config, as well as those rules from bulk creation, that before only existed in the API. It seems that here the API try to match all of the rules it thinks should exist with the config, late-creating even those it failed to create in the bulk call before.
However, this behaviour does not seem to be expected.
Cisco Adaptive Security Appliance Software Version 9.6(2)
Is there any way to restrict user access so that when they connect via vpn (so going through the FTD) that they can only access \\myserver\share2 and not share1 for example. I know i can use a split tunnel and restrict them to the ip of myserver but...
Guys, I have been trying to monitor ipsec tunnel peer IP and bandwidth utilization for few of our ipsec tunnel, upon doing some some research i could find below OID for the same. it wors seamlessly on single context mode, howver its not woking on mul...
It gives me great pleasure to announce that FMT 2.1 supports the migration of the Palo Alto firewall to FTD.
Tool flawlessly migrates the following component of PA configuration
Network Object and Groups
Hi All, I was building VPN firewall using two Cisco ASA 5516 boxes. I want to use single ISP shared between both ASA. I've chosen two Public IPs and configured on ASA units. I've picked another IP for VPN Load-Balancing. Does this support for S2...
Hi Everyone, hoping that someone can help me out. I just migrated my AnyConnect VPN configuration from a 5505 to 5506x FW. The configuration looks fine after checking but when client try connected to the below group-url they say that they get a...