Symptom
Configured access-lists for PBR, where you define one ACL with the destination as any then add another ACL with the specified destination, the system will throw warning messages, which won't let the configuration Replication from Active to standby to complete, due to which the secondary device keeps on rebooting.
WARNING: If access-list having destination "any\any4\any6" is used as match criteria for a route map, and applied to any routing protocol it will not have any effect. Instead, use standard ACL or extended ACL without any\any4\any6 in destination.
Conditions
Configured access-lists for PBR, where you define one ACL with destination any and another ACL with the specified destination,
Workaround
Remove the ACL in question, enable the failover, let the system do the config replication. Add the Questionable ACL back and do wr me.
Things to avoid: Wr standby, reboot of standby unit.
Further Problem Description
Secondary ASA is unable to join the failover due to aggressive warning messages.
We are incorrectly throwing warnings for the Access-list where the destination address is "any" even though the destination IP is not "any".
Configured access-lists for PBR, where you define one ACL with the destination as any then add another ACL with the specified destination, the system will throw warning messages, which won't let the configuration Replication from Active to standby to complete, due to which the secondary device keeps on rebooting.
WARNING: If access-list having destination "any\any4\any6" is used as match criteria for a route map, and applied to any routing protocol it will not have any effect. Instead, use standard ACL or extended ACL without any\any4\any6 in destination.
