Symptom
We found an ASA problem from where a confirmed orphaned SSH session in the ASA, didn't allow us to remove the next policy-map configuration from the ASA CLI:
policy-map type inspect esmtp esmtp_1000
parameters
allow-tls
- We first removed the inspect from the class-map esmtp as following:
policy-map global_policy
class esmtp
no inspect esmtp esmtp_1000
- Then, we remove the class-map esmtp from the global policy:
policy-map global_policy
no class esmtp
Here the final config:
policy-map global_policy
class inspection_default
inspect dns preset_dns_map
inspect ftp
inspect h323 h225
inspect h323 ras
inspect ip-options
inspect netbios
inspect rsh
inspect rtsp
inspect sqlnet
inspect sunrpc
inspect tftp
inspect sip
inspect xdmcp
- After this, we tried to delete the policy-map type inspect in question and it failed:
ASA/pri/act/FW(config)# no policy-map type inspect esmtp esmtp_1000
ERROR: policy-map esmtp_1000 is being configured and hence cannot be removed.
Conditions
ASA with orphaned SSH session
Workaround
1.- Use the "show ssh session" for confirming any orphaned ssh session in the ASA.
Then, proceed to disconnect the orphaned ssh session with the next command "ssh disconnect [session id]"
OR
2.- Reboot the ASA, after this, you will be able to delete/remove the policy-map in question.
Further Problem Description
