01-06-2011 01:21 AM - edited 03-11-2019 12:30 PM
Hi,
I used FWSM on 6500 with software 3.1(3)
When i add hosts or services into exising object-group, firewall don't perform process on exisiting ACL involve that object-group.
I have to remove ACL and re-insert once to activate. I tested on 10 times found issue 7-8 times. I'm sure this is bug or not but i found some bug may be related.
FWSM: ACLs missing after adding items to object-groups | |
Symptom: If adding additional network-objects to object-groups fails with the following error, "access-list" lines may be missing from the config afterwards: |
Modifying an ACL with an object-group could cause ACL corruption | |
Thanks
01-06-2011 01:28 AM
FWSM version 3.1.3 is quite an old version of code.
Can you please check if ACL count has hit the hardware limit? Please share the output of "show np 3 acl stats" from the FWSM.
In any case, it does seem to match bugID CSCtd78604, but it might be a good idea to open a TAC case to further investigate the issue, OR/ I would recommend upgrading the FWSM to at least the latest version of 3.2.x.
01-06-2011 02:14 AM
Hi Jennifer,
Thanks for your advised. Here is output from internal-server context
sh np 3 acl stats
----------------------------
ACL Tree Statistics
----------------------------
Rule count : 496
Bit nodes (PSCB's): 464
Leaf nodes : 465
Total nodes : 929 (max 28356)
Leaf chains : 42
Total stored rules: 496
Max rules in leaf : 3
Node depth : 12
----------------------------
Here is output from admin context
sh np 3 acl stats
----------------------------
ACL Tree Statistics
----------------------------
Rule count : 45
Bit nodes (PSCB's): 40
Leaf nodes : 41
Total nodes : 81 (max 28356)
Leaf chains : 14
Total stored rules: 55
Max rules in leaf : 3
Node depth : 9
----------------------------
01-06-2011 03:13 AM
That seems to be just fine.
It seems to be that you are hitting one or both the bugs that you mentioned earlier. Please upgrade the FWSM to at least the latest version of 3.2.x.
01-06-2011 07:20 AM
The one that you found CSCse60868 is ONE reason why you should upgrade.
This one jumbles the acl and puts the implicit deny on the top of the acl thereby denying all permit traffic.
There was a PSIRT on this one that you can read here: http://www.cisco.com/warp/public/707/cisco-sa-20070214-fwsm.shtml
FWSM code download link:
http://www.cisco.com/cgi-bin/tablebuild.pl/cat6000-fwsm
Click on the All new releases will be available "here"
The latest in the 3.1.x train 3.1.(19)
The latest in the 4.0 train is 4.0.13
The latest in the 3.2 train is 3.2.(19)
The latest in the 4.1 train is 4.1(3)
ASDM is asdm-62(1)f.bin
-KS
Discover and save your favorite ideas. Come back to expert answers, step-by-step guides, recent topics, and more.
New here? Get started with these tips. How to use Community New member guide