06-24-2019 07:17 AM
Hi,
I've recently updated a Cisco ASA5516-X (with Firepower)
to firmware 9.12.2 with ASDM 7.12.2
However this seems to have caused a problem when updating access control lists via the asdm
It now adds "access-list mode manual-commit" and "access-list mode auto-commit"
to the beginning and the end of the list of commands it issues to the firewall when applying ACL changes via the ASDM
So for example
access-list mode manual-commit access-list L3_access_in line 1 remark Test rule access-list L3_access_in line 2 extended permit ip object Win-L2-TermServ any access-list commit access-list mode auto-commit
which results in a error of
[ERROR] access-list mode manual-commit access-list mode manual-commit ^ ERROR: % Invalid input detected at '^' marker. [OK] access-list L3_access_in line 1 remark Test rule [OK] access-list L3_access_in line 2 extended permit ip object Win-L2-TermServ any [ERROR] access-list commit access-list commit ERROR: % Incomplete command [ERROR] access-list mode auto-commit access-list mode auto-commit ^ ERROR: % Invalid input detected at '^' marker.
I suspect this might be a bug with the asdm
According to this list it should all be compatible
https://www.cisco.com/c/en/us/td/docs/security/asa/compatibility/asamatrx.html#id_59423
06-25-2019 03:48 AM - edited 06-25-2019 04:43 AM
I've just tried
asdm image disk0:/asdm-openjre-7122.bin
asdm image disk0:/asdm-7122.bin
both of these seem affected
asdm-7121.bin seems to work fine, but then I can't get onto the firepower gui
06-29-2019 08:28 AM
This issue is related to bug CSCvq05064, which is now visible to the customers. You can subscribe to notifications to get weekly/monthly updates about it and for more information when the fix will be available.
https://bst.cloudapps.cisco.com/bugsearch/bug/CSCvq05064/?reffering_site=dumpcr
* Symptom:
not able to edit an entry using ASDM and OpenJRE/Oracle 7.12.2
the following error is seen
[ERROR] access-list mode manual-commit
access-list mode manual-commit
^
ERROR: % Invalid input detected at '^' marker.
[OK] no access-list ACL1 line 1 extended permit tcp object my-obj-1 object my-obj-2 eq 12345
[ERROR] access-list commit
access-list commit
ERROR: % Incomplete command
[ERROR] access-list mode auto-commit
access-list mode auto-commit
^
ERROR: % Invalid input detected at '^' marker.
* Workaround:
n/a
on version 7.12.1 version issue is not seen
As a workaround, I suggest you use ASDM version 7.12.1 since the issue is not seen there. However, since you're running ASA 9.12.2, ASDM 7.12.1 is not compatible, so try to downgrade both the ASA and the ASDM.
https://www.cisco.com/c/en/us/td/docs/security/asa/compatibility/asamatrx.html#pgfId-226294
07-09-2019 06:32 PM
I'm afraid I already tried that, but it seemed to cause problems accessing the firepower device
(since I updated the firepower module to the latest version)
07-19-2019 09:04 AM - edited 07-19-2019 09:07 AM
Downgrade to ASDM 7.12.1 or wait for newer ASDM version.
Seems the access-list changes do get applied even though you get the annoying warning though so probably best to just wait for a fixed ASDM to come out.
How often do you actually need to make changes in the Firepower GUI?
07-19-2019 09:21 AM
Question: Since the bugfix shows itself as "fixed" where exactly can one find the current/working release?
I'm currently working on my first ASA cluster and I'm wondering if I made a poor purchasing decision considering how the most basic, fundamental functions were not tested (or the choice was made to release critically broken software) in software that is published as a "suggested release version"
My Cisco experience is on the router/IOS side and a few Catalyst switches along the way and while there are always bugs, they're almost always limited to oddball situations/use cases. Are fundamental bugs the norm in ASA release software?
07-19-2019 10:19 AM
I've only seen ASDM fail on a couple occasions over 5 years
Couple times when Java updated and there was an issue with previous SSL/TLS ciphers and with Windows 10
And this time with ASDM 7.12.2. ASA is pretty solid otherwise (assuming you got the ASA with firepower services image)
Again just downgrade to ASDM 7.12.1 and no more issue. I'm not sure why the previous person had an issue with Firepower GUI on ASDM, but it's generally better to use Firepower Management Center anyways as it's beyond annoying to manage Firepower locally for multiple devices
If you want to go for stability the 9.9.2 interim or 9.8.3 interim is very stable with ASDM 7.10 up to ASDM 7.12.1
08-20-2019 03:40 AM
Since I've updated the firepower to the latest release then ASDM 7.12.1 doesn't seem to work with it as far as the GUI is concerned only 7.12.2, so I'll need to wait for them to release another version.
Firepower Management Center isn't really an option for me at the moment as I'm working in a PCI environment where I'm limited on what I can install. Installing a full blown VM just for one box is a bit overboard for what we need at the moment.
08-28-2019 07:36 AM
I get same error messages, but changes were made anyways.
10-22-2019 03:40 AM
Same here with 9.8(4)10 and ASDM 7.12(2) - we get the error messages but ACL changes where made.
03-17-2022 09:49 AM - edited 03-17-2022 09:50 AM
thank you for the bug link. Its worked for me after update asdm from 7.122 to fix release 7.131 based on bug link that you share.
https://bst.cloudapps.cisco.com/bugsearch/bug/CSCvq05064
Discover and save your favorite ideas. Come back to expert answers, step-by-step guides, recent topics, and more.
New here? Get started with these tips. How to use Community New member guide