Guest

Preview Tool

Cisco Bug: CSCur17676 - ASA DP does not modify the access-group of interafce

Last Modified

Nov 08, 2016

Products (1)

  • Cisco ASA 5500-X Series Firewalls

Known Affected Releases

1.0(1)

Description (partial)

Symptom:
A service graph with only ASA function node is associated to a contract/subject; APIC shows that both the service graph and device cluster are deployed without fault.

The L4-L7 service parameters has the following XML access-group configuration to attach the permit_ip ACL to the interface:
<fvTenant name="dummy_test">
    <vnsFolderInst key="Interface" name="outside_if" ctrctNameOrLbl="any" graphNameOrLbl="any" nodeNameOrLbl="asa_fw">
        <vnsFolderInst key="AccessGroup" name="accessGroup" ctrctNameOrLbl="any" graphNameOrLbl="any" nodeNameOrLbl="asa_fw">
            <vnsCfgRelInst key="inbound_access_list_name" name="ingress_acl" targetName="permit_ip" />
        </vnsFolderInst>
    </vnsFolderInst>
</fvTenant>

Without de-associating the service graph from the contract/subject, the following XML is sent to change the ACL attached to the interface from permit_ip to permit_icmp:
<fvTenant name="dummy_test">
    <vnsFolderInst key="Interface" name="outside_if" ctrctNameOrLbl="any" graphNameOrLbl="any" nodeNameOrLbl="asa_fw">
        <vnsFolderInst key="AccessGroup" name="accessGroup" ctrctNameOrLbl="any" graphNameOrLbl="any" nodeNameOrLbl="asa_fw">
            <vnsCfgRelInst key="inbound_access_list_name" name="ingress_acl" targetName="permit_icmp" />
        </vnsFolderInst>
    </vnsFolderInst>
</fvTenant>

APIC accepted the XML request and updated the object model; visore showed that the access-group for the interface has been modified to permit_icmp.

However, on the ASA, the access-group is still attached to the original ACL:
ciscoasa# sh run access-group 
access-group permit_ip in interface outside_if    <<<< this should have changed to permit_icmp
access-group permit_ip in interface inside_if

Conditions:
Changing access-group configuration of an interface from APIC.
Bug details contain sensitive information and therefore require a Cisco.com account to be viewed.

Bug Details Include

  • Full Description (including symptoms, conditions and workarounds)
  • Status
  • Severity
  • Known Fixed Releases
  • Related Community Discussions
  • Number of Related Support Cases
Bug information is viewable for customers and partners who have a service contract. Registered users can view up to 200 bugs per month without a service contract.