Guest

Preview Tool

Cisco Bug: CSCuj54287 - ASA ACL not applied object-group-search enabled and first line is remark

Last Modified

Apr 16, 2020

Products (1)

  • Cisco ASA 5500-X Series Firewalls

Known Affected Releases

9.0(3.1) 9.1(2.5)

Description (partial)

Symptom:
when issuing "write standby" from active unit or ASA reloads and when it reads configuration from flash the following error message is seen:
ERROR: access-list <ACL Name> is empty, no access control elements configured

And the ACL is not applied on the interface as an access-group (the access-group command does not show in show run output any more.

The ACL configuration will be different, all remark lines will show at the beginning of the ACL and all ACEs will show at the end of the ACL.

Conditions:
-- ASA running 9.1.2.5 and later or 9.0.3.1 and later.
-- object-group-search access-control is enabled
-- ACL to be applied as an access-group contains a remark as the first line (this will cause the ACL not to be applied, however if the condition is not met the ACL configuration will still be in the wrong order)
Bug details contain sensitive information and therefore require a Cisco.com account to be viewed.

Bug Details Include

  • Full Description (including symptoms, conditions and workarounds)
  • Status
  • Severity
  • Known Fixed Releases
  • Related Community Discussions
  • Number of Related Support Cases
Bug information is viewable for customers and partners who have a service contract. Registered users can view up to 200 bugs per month without a service contract.