BugZero | Cisco BugID CSCwh20307 - FMC fails deployment after removing NAT or ACL rul...

Cisco - Defect ID: CSCwh20307

FMC fails deployment after removing NAT or ACL rule

Cisco - Defect ID: CSCwh20307

FMC fails deployment after removing NAT or ACL rule

Last updated on 1/30/2025

Overall: 6.16.1

Severity: 6.46.4

Lifecycle: 9.19.1

Popularity: 5.15.1

What is the BugZero Risk Score?

Vendor details

No defect details.

Overall: 6.16.1

Severity: 6.46.4

Lifecycle: 9.19.1

Popularity: 5.15.1

What is the BugZero Risk Score?

Vendor details

No defect details.

Symptom

The problem has to with the order in which the FMC pushes and removes NAT/ACL rules to an FTD. In some cases, the FTD still has the configuration snapshot of a rule but when the FMC pushes the commands to edit an object within a rule that was removed (Deleting the NAT rule happens later in the process), the deployment fails. The resulting error for example is either a failure to update an object or a warning stating that a particular rule or object does not exist.

Conditions

The following is an example of what happens when modifying an object after removing an associated NAT rule: 1) Change an object from Host to FQDN within a NAT rule, the FMC should give an error message indicating that the object to FQDN cannot be set to FQDN since it is being used by a NAT rule, which is an expected behavior given that FQDN object are not supported for NAT. 2) Delete the NAT rule that prevents changing the object then save the changes. 3) Change the object to FQDN. 4) Deploy the change. The following occurs: FMC >> fqdn v4 geoip.elastic.co id 268435458 FTD1234 >> [error] : ERROR: Modification failed. FQDN objects are not supported in NAT commands. ERROR: Modification failed. FQDN objects are not supported in NAT commands. ERROR: unable to update object (geoip.elastic.co) due to internal error ERROR: Command 'fqdn v4 geoip.elastic.co id 268435458' failed. Config Error -- commit noconfirm revert-save

Workaround

Before editing an object associated with a NAT or ACL rule that needs to be modified, delete that NAT or ACL rule first then deploy the removal. Once complete changes against objects within the previously removed rules should work as expected.

Further Problem Description

PSIRT Evaluation: The Cisco PSIRT has evaluated this issue and determined it does not meet the criteria for PSIRT ownership or involvement. This issue will be addressed via normal resolution channels. If you believe that there is new information that would cause a change in the severity of this issue, please contact psirt@cisco.com for another evaluation. Additional information on Cisco's security vulnerability policy can be found at the following URL: http://www.cisco.com/en/US/products/products_security_vulnerability_policy.html

Original Vendor Announcement

9.65Defect ID: CSCwd45843
Auth Step latency for policy evaluation due to Garbage Collection activity.
9.65Defect ID: CSCwa92734
CUBE DTMF interworking fails from rtp-nte to OOB SIP methods
9.65Defect ID: CSCwj45822
Cisco ASA and FTD Software Remote Access VPN Brute Force Denial of Service Vulnerability
9.65Defect ID: CSCvo03458
PKI "revocation check crl none" does not fallback if CRL not reachable
9.65Defect ID: CSCvq05584
Cisco IOS and IOS XE Software Tcl Arbitrary Code Execution Vulnerability

Ready to prevent the next vendor outage?

Get a demo

OPERATIONAL DEFECT DATABASE

Cisco - Defect ID: CSCwh20307

FMC fails deployment after removing NAT or ACL rule

Cisco - Defect ID: CSCwh20307

FMC fails deployment after removing NAT or ACL rule

Last updated on 1/30/2025

Vendor details

Vendor details

Description

Symptom

Conditions

Workaround

Further Problem Description

Links

Top Cisco defects by risk score

Ready to prevent the next vendor outage?