Guest

Preview Tool

Cisco Bug: CSCum24760 - ASA policy-map action not applied correctly after config change

Last Modified

Nov 27, 2020

Products (1)

  • Cisco Adaptive Security Appliance (ASA) Software

Known Affected Releases

9.1(3)

Description (partial)

Symptom:
When changes are made to a policy-map that include overlapping classes, actions in that policy are no longer applied in the correct order (i.e. first match). For example:

access-list alltcp extended permit tcp any any
access-list bypass extended permit tcp host 10.1.110.10 host 192.168.112.72
!
class-map alltcp
 match access-list alltcp
class-map bypass
 match access-list bypass
!
policy-map global_policy
 class bypass
  set connection advanced-options tcp-state-bypass
 class alltcp
  set connection random-sequence-number disable
  
In this case, a TCP connection from 10.1.110.10 to 192.168.112.72 should have TCP state bypass applied. All other TCP connections should have sequence number randomization disabled. This policy works fine until the TCP state bypass action is toggled (or changed):

policy-map global_policy
 class bypass
  no set connection advanced-options tcp-state-bypass
  set connection advanced-options tcp-state-bypass
!
clear local-host

After this, a TCP connection from 10.1.110.10 to 192.168.112.72 will no longer have TCP state bypass applied.

This issue is not specific to TCP state bypass. The problem also occurs with other actions, such as 'set connection advanced-options {tcp-map}'.

Conditions:
This problem is seen after a change is made to an existing policy-map that includes overlapping classes. New policies are not affected. Reading the config from startup-config is also not affected.
Bug details contain sensitive information and therefore require a Cisco.com account to be viewed.

Bug Details Include

  • Full Description (including symptoms, conditions and workarounds)
  • Status
  • Severity
  • Known Fixed Releases
  • Related Community Discussions
  • Number of Related Support Cases
Bug information is viewable for customers and partners who have a service contract. Registered users can view up to 200 bugs per month without a service contract.