Guest

Preview Tool

Cisco Bug: CSCvu71324 - ASA: Automatic DENY rule applied in multiple contexts due to the use of the dhcp-network-scope

Last Modified

Sep 17, 2020

Products (1)

  • Cisco ASA 5500-X Series Firewalls

Known Affected Releases

9.8(4.17)

Description (partial)

Symptom:
It is confirmed the use of the dhcp-network-scope under a group policy in a context add ip address to the persistent list. 

Then, when we make the interface up in another context, first it will add the deny rule for the interface ip address and then it will check the persistent list, if there is any ip address in that list, it will add the deny rule for that ip address also irrespective of the context.

This is causing traffic destined to the dhcp-network-scope IP address getting blocked in specific ASA contexts.

Conditions:
ASA configured in multi-context and using dhcp-network-scope under a group-policy in one context when running ASA code 9.8.4.17
Bug details contain sensitive information and therefore require a Cisco.com account to be viewed.

Bug Details Include

  • Full Description (including symptoms, conditions and workarounds)
  • Status
  • Severity
  • Known Fixed Releases
  • Related Community Discussions
  • Number of Related Support Cases
Bug information is viewable for customers and partners who have a service contract. Registered users can view up to 200 bugs per month without a service contract.