Bug: ASA REST-API bulk operation fail leaves API in inconsistent state
using the bulk API functionality ("/api") on my test ASAv, I tried to add the same rule twice to a new ACL.
The API call failed, as expected, with HTTP 400 and this message:
So far, as expected. But after this fail, the API and the ASA itself were no longer in a consistent state.
A "show access-list" on the ASA did not show any of the rules created, neither the unique one nor the duplicate.
A call to "/api/objects/extendedacls/TEST/aces/" however shows all rule as existing that were processed before the duplicate rule.
At this point, only three ways I found to "fix" it:
1. Reboot the ASA. It will then start with neither of the rules existent in the CLI nor the API
2. Manually creating a valid rule via the CLI. All the said-to-be succesfully created rules from the API will disappear, and only the new rule will exist. It seems that here the CLI will overwrite the state in the API.
3. Successfully(!) creating another rule via the API. This will cause the new API rule to exist in the ASA config, as well as those rules from bulk creation, that before only existed in the API. It seems that here the API try to match all of the rules it thinks should exist with the config, late-creating even those it failed to create in the bulk call before.
However, this behaviour does not seem to be expected.
Cisco Adaptive Security Appliance Software Version 9.6(2)
I was helping some friends and they were trying to solve a scalable VPN issues, specially these days with the pandemic situation.
I recommended to implement ASA VPN Load-Balancing.
This will allow to keep 1 FQDN for all RA-VPN users an...
Purpose of this article is to share our experience during that Covid-19 period where we were able to successfully setup a VPN configuration for remote worker using Alcatel 8068S phones with FTD 2110 running 22.214.171.124.I would like to thank all of my colleagu...
If you have ever configured central web authentication with ISE you understand that it requires one to configure ACL that dictates what traffic is to be redirected vs. let through without redirection. You also understand that this ACL needs to be config...
Cisco Defense Orchestrator (CDO) is a cloud-based multi-device manager that can manage security products like the Adaptive Security Appliance (ASA), the Firepower Threat Defense next-generation firewall, and Meraki devices, to name a few.&nb...