Guest

Preview Tool

Cisco Bug: CSCuq66480 - ASA DP not changing static route next hop correctly

Last Modified

Nov 08, 2016

Products (1)

  • Cisco ASA 5500-X Series Firewalls

Known Affected Releases

1.0(1)

Description (partial)

Symptom:
On APIC, the following static route is configured on the L4-L7 service parameter of an interface:
<fvTenant name="g010">
    <fvAp name="app01">
        <vnsFolderInst key="Interface" name="external_if" ctrctNameOrLbl="any" graphNameOrLbl="single_asa_graph" nodeNameOrLbl="asa_fw">
            <vnsFolderInst key="StaticRoute" name="external_routes" ctrctNameOrLbl="any" graphNameOrLbl="single_asa_graph" nodeNameOrLbl="asa_fw">
                <vnsFolderInst key="route" name="route1" ctrctNameOrLbl="any" graphNameOrLbl="single_asa_graph" nodeNameOrLbl="asa_fw">
                    <vnsParamInst key="network" name="network" value="0.0.0.0" />
                    <vnsParamInst key="netmask" name="netmask" value="0.0.0.0" />
                    <vnsParamInst key="gateway" name="gateway" value="10.1.11.254" />
                </vnsFolderInst>
            </vnsFolderInst>
        </vnsFolderInst>
    </fvAp>
</fvTenant>
 
The ASA device package pushed the following static route to the ASA:
route external_if 0.0.0.0 0.0.0.0 10.1.11.254 1
 
The gateway of the static route is then changed to another IP address with the XML below (using the same key and name for the meta folder and parameter as the 1st XML):
<fvTenant name="g010">
    <fvAp name="app01">
        <vnsFolderInst key="Interface" name="external_if" ctrctNameOrLbl="any" graphNameOrLbl="single_asa_graph" nodeNameOrLbl="asa_fw">
            <vnsFolderInst key="StaticRoute" name="external_routes" ctrctNameOrLbl="any" graphNameOrLbl="single_asa_graph" nodeNameOrLbl="asa_fw">
                <vnsFolderInst key="route" name="route1" ctrctNameOrLbl="any" graphNameOrLbl="single_asa_graph" nodeNameOrLbl="asa_fw">
                    <vnsParamInst key="network" name="network" value="0.0.0.0" />
                    <vnsParamInst key="netmask" name="netmask" value="0.0.0.0" />
                    <vnsParamInst key="gateway" name="gateway" value="10.1.11.1" />
                </vnsFolderInst>
            </vnsFolderInst>
        </vnsFolderInst>
    </fvAp>
</fvTenant>
 
The ASA device packahe pushed the following static route to the ASA:
route external_if 0.0.0.0 0.0.0.0 10.1.11.1 1
 
However, it did not remove the static route pushed in the 1st xml; so the ASA ended up with two static routes, instead of one:
asa-1/g010-pvt# sh run route | i exter
route external_if 0.0.0.0 0.0.0.0 10.1.11.254 1
route external_if 0.0.0.0 0.0.0.0 10.1.11.1 1
asa-1/g010-pvt# 
 
Instead of changing the next hop of a static route, the device package installed another static route to the ASA.

Conditions:
Changing the next hop of a static route for ASA on APIC.
Bug details contain sensitive information and therefore require a Cisco.com account to be viewed.

Bug Details Include

  • Full Description (including symptoms, conditions and workarounds)
  • Status
  • Severity
  • Known Fixed Releases
  • Related Community Discussions
  • Number of Related Support Cases
Bug information is viewable for customers and partners who have a service contract. Registered users can view up to 200 bugs per month without a service contract.