Re: Cannot remove access list

khuysmans · ‎02-21-2006

Hello,

There is an access-list in my configuration which I for some reason cannot get removed.

It looks like this:

access-list acl-nw; 2 elements

access-list acl-nw line 1 permit ip object-group siteA-ip object-group siteB-ip

access-list acl-nw line 1 permit ip 192.168.9.0 255.255.255.0 192.168.13.0 255.255.255.0 (hitcnt=0)

access-list acl-nw line 1 permit ip 192.168.10.0 255.255.255.0 192.168.13.0 255.255.255.0 (hitcnt=0)

When I try to "no access-list acl-nw line 1 permit ip object-group siteA-ip object-group siteB-ip" in configuration mode, I get the error:

ERROR: access-list <acl-nw> not found

But both the running config as "show access-list" show it as there.

I can even add a new ACL named exactly the same. So, in configuration mode trying "access-list acl-nw permit ip object-group siteA-ip object-group siteB-ip" will not only not produce an error, it will create the "acl-nw" ACL looking exactly the same as before.

After issueing the above command "show access-list" returns:

access-list acl-nw; 2 elements

access-list acl-nw permit ip object-group siteA-ip object-group siteB-ip

access-list acl-nw line 1 permit ip 192.168.9.0 255.255.255.0 192.168.13.0 255.255.255.0 (hitcnt=0)

access-list acl-nw line 1 permit ip 192.168.10.0 255.255.255.0 192.168.13.0 255.255.255.0 (hitcnt=0)

access-list acl-nw; 2 elements

access-list acl-nw permit ip object-group siteA-ip object-group siteB-ip

access-list acl-nw line 1 permit ip 192.168.9.0 255.255.255.0 192.168.13.0 255.255.255.0 (hitcnt=0)

access-list acl-nw line 1 permit ip 192.168.10.0 255.255.255.0 192.168.13.0 255.255.255.0 (hitcnt=0)

So it is in there twice.

I have tried clearing it with "clear access-list acl-nw" and with the "no" statements. I can clear the second one just fine, both with "clear" and "no".

I am at a loss. I cannot think of another way to remove that line.

Is this a known bug?

kind regards,

Kevin

khuysmans · ‎02-21-2006

Anybody?

jackko · ‎02-24-2006

i had this issue once, but it's not the acl name, it's the username.

i created a user named abc123, and later on i can't remove it, but yet i can create/delete a new abc123.

i simply think this is a bug.

pciaccio · ‎02-24-2006

I remember in my PIX class training an issue with dynamic ACL's where they could not be deleted the old tradional way. Because they are dynamic the trigger that creates the ACL needs to be halted. Then the Dynamic ACL will be release/removed...I personally have not come across this issue...Hopes this leads you in the right direction....

khuysmans · ‎02-24-2006

Interesting.

Does anybody know how to halt the trigger that creates the ACL?

Kevin

pciaccio · ‎02-25-2006

From what I remember, as long as something is triggering the ACL then it will always be there. I see from your ACL their is reference to an IP object-group ......access-list acl-nw line 1 permit ip object-group siteA-ip object-group siteB-ip . Your answer may lie in this object-group...

khuysmans · ‎02-26-2006

Unfortunately, I cannot remove those objectgroups since they are also used in a crypto match for a few VPN tunnels.

Does anybody know how to halt this process without removing those objectgroups?

pciaccio · ‎02-26-2006

I don't recall if their is any one command to turn off the VPN access, however the quick way may be to shut down the interface that the VPN tunnels come in on. Once that is done the access list should go away and you should be able to remove any reference of it, then bring the interface back up....