Buy or Renew
Buy or Renew
cancel
Turn on suggestions
Auto-suggest helps you quickly narrow down your search results by suggesting possible matches as you type.
Showing results for 
Search instead for 
Did you mean: 
cancel
Start a conversation
1709
Views
5
Helpful
3
Replies

SFR access control policy

Go to solution
adamgibs7
Level 6
Level 6

‎04-29-2018 10:59 AM - edited ‎02-21-2020 07:41 AM

Dears,

you may be thinking what I am speaking is not logic but it is happening with me

 

Problems:

I have exempted certain mangers from restrictions  and they are hitting to the proper policy and things are working fine, as soon as I make a additional policy for deny any any from inside to outside zone , managers and users traffic starts hitting the deny policy and things get blocked,

 

Please find the attached error is it this error is making a problem.

Labels:
Preview file
43 KB
0 Helpful
1 Accepted Solution

Accepted Solutions

Go to solution
yogdhanu
Cisco Employee
Cisco Employee

‎04-30-2018 01:04 AM

Hi

 

The error screenshot and problem seems not connected.

The error that you get may be because a Realm for which some user based rules were created are there in the access control policy but the realm is already deleted.

You would need to delete the reference user based rules from ACP which point to deleted realm.

 

I assume with this error, you cannot deploy policy. With that, creating a deny rule should not affect anyone because the rules are not deployed.

 

May be I didn't get the problem right.

 

Hope this helps,

Yogesh

 

View solution in original post

3 Replies 3

Go to solution
yogdhanu
Cisco Employee
Cisco Employee

‎04-30-2018 01:04 AM

Hi

 

The error screenshot and problem seems not connected.

The error that you get may be because a Realm for which some user based rules were created are there in the access control policy but the realm is already deleted.

You would need to delete the reference user based rules from ACP which point to deleted realm.

 

I assume with this error, you cannot deploy policy. With that, creating a deny rule should not affect anyone because the rules are not deployed.

 

May be I didn't get the problem right.

 

Hope this helps,

Yogesh

 

Go to solution
adamgibs7
Level 6
Level 6
In response to yogdhanu

‎04-30-2018 12:24 PM

Dear Yogdhanu,

 

the rules get deployed and they become active even by the hit counts this means the error is not affecting.

 

I have only one relam and no such user groups are deleted on daily basis hence I was mentioning the managers rule  in which I am calling the managers their group has not changed from many years

 

thanks

0 Helpful

Go to solution
yogdhanu
Cisco Employee
Cisco Employee
In response to adamgibs7

‎05-01-2018 12:36 AM

Hi

 

Can you share the actual rules screenshot?

Or may be do system support firewall-engine debug or system support trace (if above 6.2) and check how the traffic is matched against the rules. That would give us some more idea on whats happening.

 

 

0 Helpful
Customers Also Viewed These Support Documents
Review Cisco Networking for a $25 gift card