Guest

Preview Tool

Cisco Bug: CSCur97335 - ASA devpkg only program partial functions in SG

Last Modified

Nov 08, 2016

Products (1)

  • Cisco ASA 5500-X Series Firewalls

Known Affected Releases

1.1(1.2)

Description (partial)

Symptom:
When using ASA device package with APIC L4-L7 service graph, if user is using a 3-node graph to create the following toplogy/traffic flow:

           C
           |
           C1
           \/
+--+     +----+
|NS|     |ASAv|
|N2|<-C2-| N1 |
|  |-C3->| N3 |
+--+     +----+
           |
           C4
           \/
            P

C -> N1 -> N2 -> N3 -> P
N1 and N3 are the same ASAv with C2 and C3, is mapped to the same CDev (shared interface)
N2 is Citrix, it is programmed correctly

Here is how it is mapped in LDev:
outside (C1) -> N1 -> vpx-out (C2)
vpx-in (C3) -> N3 -> dmz (C4)

For CDev on the ASAv 
G0/0 - outside
G0/1 - dmz
G0/2 - vpx-out, vpx-in

Under debug.log in APIC, the [Configuration argument] is correct but the post request doesn't have the N1's configuration. Only N3 exist.

Conditions:
Using APIC L4-L7 3-node graph to create 3x security zone.
Bug details contain sensitive information and therefore require a Cisco.com account to be viewed.

Bug Details Include

  • Full Description (including symptoms, conditions and workarounds)
  • Status
  • Severity
  • Known Fixed Releases
  • Related Community Discussions
  • Number of Related Support Cases
Bug information is viewable for customers and partners who have a service contract. Registered users can view up to 200 bugs per month without a service contract.