Guest

Preview Tool

Cisco Bug: CSCur28615 - Hex code associated with syslog is referenced from the old ACE/ACL

Last Modified

Jul 30, 2018

Products (1)

  • Cisco ASA 5500-X Series Firewalls

Known Affected Releases

8.2(5) 9.1

Description (partial)

Symptom:
Hexadecimal  code associated with syslog is referenced from the old ACE/ACL which was being hit even though the traffic is hitting the new ACE/ACL entry having different hexadecimal code.

Example : 
There is an ACL entry which has "permit icmp any any" configured. At this point all the traffic part of the ACL will generate syslog which will be having the hex code associated with the ACL entry 0x4f3e126c as in the below ACL.

access-list OUTSIDE  line 1 extended permit icmp any any (hitcnt=10) 0x4f3e126c

Oct 03 09:00:51 172.16.10.5 : %ASA-5-106100: access-list OUTSIDE permitted icmp OUTSIDE/20.0.0.1(8) -> INSIDE/10.0.0.1(0) hit-cnt 2 300-second interval [0x4f3e126c, 0x0]


At this stage if you add a more specific rule on top of the previous one, still the hex code from the old ACE/ACL entry will be referenced  by the new syslog even the traffic is getting hit on the new ACE/ACL entry.

access-list OUTSIDE  line 1 extended permit ip host 20.0.0.1 host 10.0.0.1 (hitcnt=17) 0xb03ee244
access-list OUTSIDE  line 2 extended permit icmp any any (hitcnt=10) 0x4f3e126c

Oct 03 09:10:14 172.16.10.5 : %ASA-5-106100: access-list OUTSIDE permitted icmp OUTSIDE/20.0.0.1(8) -> INSIDE/10.0.0.1(0) hit-cnt 12 300-second interval [0x4f3e126c, 0x0]

Conditions:
ASA software running code 8.2(5) and 9.1
Bug details contain sensitive information and therefore require a Cisco.com account to be viewed.

Bug Details Include

  • Full Description (including symptoms, conditions and workarounds)
  • Status
  • Severity
  • Known Fixed Releases
  • Related Community Discussions
  • Number of Related Support Cases
Bug information is viewable for customers and partners who have a service contract. Registered users can view up to 200 bugs per month without a service contract.