Bug: ASA REST-API bulk operation fail leaves API in inconsistent state
using the bulk API functionality ("/api") on my test ASAv, I tried to add the same rule twice to a new ACL.
The API call failed, as expected, with HTTP 400 and this message:
So far, as expected. But after this fail, the API and the ASA itself were no longer in a consistent state.
A "show access-list" on the ASA did not show any of the rules created, neither the unique one nor the duplicate.
A call to "/api/objects/extendedacls/TEST/aces/" however shows all rule as existing that were processed before the duplicate rule.
At this point, only three ways I found to "fix" it:
1. Reboot the ASA. It will then start with neither of the rules existent in the CLI nor the API
2. Manually creating a valid rule via the CLI. All the said-to-be succesfully created rules from the API will disappear, and only the new rule will exist. It seems that here the CLI will overwrite the state in the API.
3. Successfully(!) creating another rule via the API. This will cause the new API rule to exist in the ASA config, as well as those rules from bulk creation, that before only existed in the API. It seems that here the API try to match all of the rules it thinks should exist with the config, late-creating even those it failed to create in the bulk call before.
However, this behaviour does not seem to be expected.
Cisco Adaptive Security Appliance Software Version 9.6(2)
As of June 2020, the Cisco ISE pxGrid App for QRadar Ver 1.1.0 is officially Validated and released by IBM, available for download from IBM XFE. Access the link to download app here.
The Cisco ISE pxGrid App V1.1 supports Cisco Identity Se...
i have an ip that is part of our internal network, i configured route map on the core to redirect the traffic to the firewall for further inspection.i checked the firewall logs i can see the traffic is redirect to the firewall successfully. i could ping o...
Hi, 1)May I know wht it means when context visibility Status showing 'disconnected" and '(blank)'?Difference between 'disconnected" and '(blank)'. Since both devices also not connected.I found tht these devices are no longer connected to the swi...
Hi ,I would like to configure multiple public ip (same subnet) on outside interface of ASA.I want to use static NAT for specific purpose.For example i have 8 public IP and I want to use 1 is internet ,1 for VPN ,1 for DMZ server and all ip want to a...
Hi all, Is it a way to retrieve the IPS policies from our IPS Appliance or censor? I have tried to look for a way but I am not able to do so. May I knwo any way can retrieve the policies from the Appliance either from the Appliance itself o...