on ISR 12.4(20)T2, object-group for acls feature have a strange behaviour

object-group service OGs_Standard

eigrp

icmp

tcp eq echo

IP access-list extended Acl_Inside

...

210 permit object-group OGs_Standard any any

220 deny ip any any log (22 matches)

1) at boot time, it works correctly

2) after some time or some changes in config, it stops allowing eigrp or icmp.

Then cutting off routing updates or ping packets:

Apr 14 14:50:01.830 CET: %SEC-6-IPACCESSLOGDP: list Acl_Inside denied icmp x.x.x.x-> y.y.y.y (8/0), 5 packets

Apr 14 14:50:01.830 CET: %SEC-6-IPACCESSLOGDP: list Acl_Inside denied icmp x.x.x.x-> y.y.y.y (8/0), 4 packets

Apr 14 14:50:01.830 CET: %SEC-6-IPACCESSLOGDP: list Acl_Inside denied icmp x.x.x.x-> y.y.y.y (8/0), 7 packets

3) if I add equivalent classical ACE rights, then I can ping again:

IP access-list extended Acl_Inside

...

210 permit object-group OGs_Standard any any

220 permit eigrp any any

230 permit icmp any any (7 matches)

240 permit tcp any any eq echo

250 deny ip any any log

4) a user reported me that ssh was allowed from one DMZ server to another (inside) one

Nothing on server's Acl was visible that could explain.

I then added an ACE in the middle of the Acl to deny such a traffic (tcp/22)

Then, ssh trafic was refused (Linux server reported 'no route to host')

I then suppressed the new ACE in order to move it elsewhere downwards in the Acl (thinking permitting rule was after)

But before adding ACE, I tried ssh connection again:

ssh trafic was refused again !

How would I be confident in my security rules ?