Re: Cisco ASA5516-X 9.12.2 / ASDM 7.12.2 / access-list mode manual-commit / auto-commit bug

support · ‎06-24-2019

Hi,

I've recently updated a Cisco ASA5516-X (with Firepower)

to firmware 9.12.2 with ASDM 7.12.2

However this seems to have caused a problem when updating access control lists via the asdm

It now adds "access-list mode manual-commit" and "access-list mode auto-commit"

to the beginning and the end of the list of commands it issues to the firewall when applying ACL changes via the ASDM

So for example

      access-list mode manual-commit
      access-list L3_access_in line 1 remark Test rule
      access-list L3_access_in line 2 extended permit ip object Win-L2-TermServ any 
      access-list commit
      access-list mode auto-commit

which results in a error of

[ERROR] access-list mode manual-commit
	
access-list mode manual-commit
                 ^
ERROR: % Invalid input detected at '^' marker.

[OK] access-list L3_access_in line 1 remark Test rule
[OK] access-list L3_access_in line 2 extended permit ip object Win-L2-TermServ any 
[ERROR] access-list commit
	
access-list commit
ERROR: % Incomplete command

[ERROR] access-list mode auto-commit
	
access-list mode auto-commit
                 ^
ERROR: % Invalid input detected at '^' marker.

I suspect this might be a bug with the asdm

According to this list it should all be compatible

https://www.cisco.com/c/en/us/td/docs/security/asa/compatibility/asamatrx.html#id_59423

support · ‎06-25-2019

I've just tried

asdm image disk0:/asdm-openjre-7122.bin
asdm image disk0:/asdm-7122.bin

both of these seem affected

asdm-7121.bin seems to work fine, but then I can't get onto the firepower gui

Margarita Malacara Cruz · ‎06-29-2019

This issue is related to bug CSCvq05064, which is now visible to the customers. You can subscribe to notifications to get weekly/monthly updates about it and for more information when the fix will be available.

https://bst.cloudapps.cisco.com/bugsearch/bug/CSCvq05064/?reffering_site=dumpcr

* Symptom:

not able to edit an entry using ASDM and OpenJRE/Oracle 7.12.2

the following error is seen

[ERROR] access-list mode manual-commit

access-list mode manual-commit

^

ERROR: % Invalid input detected at '^' marker.

[OK] no access-list ACL1 line 1 extended permit tcp object my-obj-1 object my-obj-2 eq 12345

[ERROR] access-list commit

access-list commit

ERROR: % Incomplete command

[ERROR] access-list mode auto-commit

access-list mode auto-commit

^

ERROR: % Invalid input detected at '^' marker.

* Workaround:

n/a

on version 7.12.1 version issue is not seen

As a workaround, I suggest you use ASDM version 7.12.1 since the issue is not seen there. However, since you're running ASA 9.12.2, ASDM 7.12.1 is not compatible, so try to downgrade both the ASA and the ASDM.

https://www.cisco.com/c/en/us/td/docs/security/asa/compatibility/asamatrx.html#pgfId-226294

support · ‎07-09-2019

I'm afraid I already tried that, but it seemed to cause problems accessing the firepower device

(since I updated the firepower module to the latest version)

Yev · ‎07-19-2019

Downgrade to ASDM 7.12.1 or wait for newer ASDM version.

Seems the access-list changes do get applied even though you get the annoying warning though so probably best to just wait for a fixed ASDM to come out.

How often do you actually need to make changes in the Firepower GUI?

J4k3 · ‎07-19-2019

Question: Since the bugfix shows itself as "fixed" where exactly can one find the current/working release?

I'm currently working on my first ASA cluster and I'm wondering if I made a poor purchasing decision considering how the most basic, fundamental functions were not tested (or the choice was made to release critically broken software) in software that is published as a "suggested release version"

My Cisco experience is on the router/IOS side and a few Catalyst switches along the way and while there are always bugs, they're almost always limited to oddball situations/use cases. Are fundamental bugs the norm in ASA release software?

Yev · ‎07-19-2019

I've only seen ASDM fail on a couple occasions over 5 years

Couple times when Java updated and there was an issue with previous SSL/TLS ciphers and with Windows 10

And this time with ASDM 7.12.2. ASA is pretty solid otherwise (assuming you got the ASA with firepower services image)

Again just downgrade to ASDM 7.12.1 and no more issue. I'm not sure why the previous person had an issue with Firepower GUI on ASDM, but it's generally better to use Firepower Management Center anyways as it's beyond annoying to manage Firepower locally for multiple devices

If you want to go for stability the 9.9.2 interim or 9.8.3 interim is very stable with ASDM 7.10 up to ASDM 7.12.1

support · ‎08-20-2019

Since I've updated the firepower to the latest release then ASDM 7.12.1 doesn't seem to work with it as far as the GUI is concerned only 7.12.2, so I'll need to wait for them to release another version.

Firepower Management Center isn't really an option for me at the moment as I'm working in a PCI environment where I'm limited on what I can install. Installing a full blown VM just for one box is a bit overboard for what we need at the moment.

hash2k2 · ‎08-28-2019

I get same error messages, but changes were made anyways.

Gerald Krause · ‎10-22-2019

Same here with 9.8(4)10 and ASDM 7.12(2) - we get the error messages but ACL changes where made.

kzykzy · ‎03-17-2022

thank you for the bug link. Its worked for me after update asdm from 7.122 to fix release 7.131 based on bug link that you share.
https://bst.cloudapps.cisco.com/bugsearch/bug/CSCvq05064