02-21-2006 04:19 AM - edited 02-20-2020 09:36 PM
Hello,
There is an access-list in my configuration which I for some reason cannot get removed.
It looks like this:
access-list acl-nw; 2 elements
access-list acl-nw line 1 permit ip object-group siteA-ip object-group siteB-ip
access-list acl-nw line 1 permit ip 192.168.9.0 255.255.255.0 192.168.13.0 255.255.255.0 (hitcnt=0)
access-list acl-nw line 1 permit ip 192.168.10.0 255.255.255.0 192.168.13.0 255.255.255.0 (hitcnt=0)
When I try to "no access-list acl-nw line 1 permit ip object-group siteA-ip object-group siteB-ip" in configuration mode, I get the error:
ERROR: access-list <acl-nw> not found
But both the running config as "show access-list" show it as there.
I can even add a new ACL named exactly the same. So, in configuration mode trying "access-list acl-nw permit ip object-group siteA-ip object-group siteB-ip" will not only not produce an error, it will create the "acl-nw" ACL looking exactly the same as before.
After issueing the above command "show access-list" returns:
access-list acl-nw; 2 elements
access-list acl-nw permit ip object-group siteA-ip object-group siteB-ip
access-list acl-nw line 1 permit ip 192.168.9.0 255.255.255.0 192.168.13.0 255.255.255.0 (hitcnt=0)
access-list acl-nw line 1 permit ip 192.168.10.0 255.255.255.0 192.168.13.0 255.255.255.0 (hitcnt=0)
access-list acl-nw; 2 elements
access-list acl-nw permit ip object-group siteA-ip object-group siteB-ip
access-list acl-nw line 1 permit ip 192.168.9.0 255.255.255.0 192.168.13.0 255.255.255.0 (hitcnt=0)
access-list acl-nw line 1 permit ip 192.168.10.0 255.255.255.0 192.168.13.0 255.255.255.0 (hitcnt=0)
So it is in there twice.
I have tried clearing it with "clear access-list acl-nw" and with the "no" statements. I can clear the second one just fine, both with "clear" and "no".
I am at a loss. I cannot think of another way to remove that line.
Is this a known bug?
kind regards,
Kevin
02-21-2006 04:19 AM
Anybody?
02-24-2006 08:20 PM
i had this issue once, but it's not the acl name, it's the username.
i created a user named abc123, and later on i can't remove it, but yet i can create/delete a new abc123.
i simply think this is a bug.
02-24-2006 05:59 PM
I remember in my PIX class training an issue with dynamic ACL's where they could not be deleted the old tradional way. Because they are dynamic the trigger that creates the ACL needs to be halted. Then the Dynamic ACL will be release/removed...I personally have not come across this issue...Hopes this leads you in the right direction....
02-24-2006 11:10 PM
Interesting.
Does anybody know how to halt the trigger that creates the ACL?
Kevin
02-25-2006 06:09 AM
From what I remember, as long as something is triggering the ACL then it will always be there. I see from your ACL their is reference to an IP object-group ......access-list acl-nw line 1 permit ip object-group siteA-ip object-group siteB-ip . Your answer may lie in this object-group...
02-26-2006 04:05 AM
Unfortunately, I cannot remove those objectgroups since they are also used in a crypto match for a few VPN tunnels.
Does anybody know how to halt this process without removing those objectgroups?
02-26-2006 09:52 AM
I don't recall if their is any one command to turn off the VPN access, however the quick way may be to shut down the interface that the VPN tunnels come in on. Once that is done the access list should go away and you should be able to remove any reference of it, then bring the interface back up....
Find answers to your questions by entering keywords or phrases in the Search bar above. New here? Use these resources to familiarize yourself with the community: