Guest

Preview Tool

Cisco Bug: CSCvv37517 - Add warning when the ASA config to be migrated has large number of sub-interfaces and access-groups

Last Modified

Oct 02, 2020

Products (1)

  • Cisco Firepower NGFW

Known Affected Releases

2.1(2)

Description (partial)

Symptom:
When the ASA config is migrated to FMC using the tool, the rule mapping is based on the nameif and zones that are present in the ASA. The corresponding access-group is used to determine the categories of rules that will be pushed on the FMC.

Now, it is possible that the rules are identical to each other but because of the access-group binding, the tool ends up pushing the access list as unique ones on the FMC. While this is not a defect or incorrect configuration, this leads to the bloated configuration on the FMC leading to deployment failure because of the size of the config on FMC. (This does not mean a high number of ACE). 

A warning message needs to be given pro-actively that the migrated config has scope of regrouping the rules together to reduce the size of the config.

Sample SFO that lead to the problem along with the ASA config is attached.

Conditions:
ASA config leveraging large number of access-group associated with corresponding sub-interfaces
Bug details contain sensitive information and therefore require a Cisco.com account to be viewed.

Bug Details Include

  • Full Description (including symptoms, conditions and workarounds)
  • Status
  • Severity
  • Known Fixed Releases
  • Related Community Discussions
  • Number of Related Support Cases
Bug information is viewable for customers and partners who have a service contract. Registered users can view up to 200 bugs per month without a service contract.