Launching soon: The world's first vendor agnostic bug scrubLearn more & join waitlist
OPERATIONAL DEFECT DATABASE
...
...
After a firewall upgrade (ASA or FTD), the OSPF redistribution commands that use a route map with a prefix list, or the prefix lists under the route maps, are removed from the configuration. Based on the ASA and FTD Configuration Guides, "Redistribution of route maps with IPv4 or IPv6 prefix list on OSPFv2 or OSPFv3 is not supported". Nevertheless, the ASA CLI and FMC UI allowed the configuration of a route map with a prefix list to be used in OSPF redistribution statements. Symptoms The issue affects 'redistribute static' and 'redistribute connected' statements and can manifest in 2 ways. Symptom 1 - The 'redistribute' commands are removed from the OSPF configuration. OSPF configuration before the upgrade: prefix-list OSPF_CONNECTED seq 10 permit 192.0.2.0/24 prefix-list OSPF_STATIC seq 10 permit 198.51.100.0/24 ! route-map OSPF_STATIC permit 10 match ip address prefix-list OSPF_STATIC route-map OSPF_CONNECTED permit 10 match ip address prefix-list OSPF_CONNECTED ! router ospf 1 network 203.0.113.0 255.255.255.0 area 0 log-adj-changes redistribute connected metric 1 metric-type 1 subnets route-map OSPF_CONNECTED redistribute static metric 1 subnets route-map OSPF_STATIC OSPF configuration after the upgrade (the 'redistribute' statements are removed): router ospf 1 network 203.0.113.0 255.255.255.0 area 0 log-adj-changes Symptom 2 - The 'prefix-list' commands are removed from the route map. OSPF configuration before the upgrade: prefix-list OSPF_CONNECTED seq 10 permit 192.0.2.0/24 prefix-list OSPF_STATIC seq 10 permit 198.51.100.0/24 ! route-map OSPF_STATIC permit 10 match ip address prefix-list OSPF_STATIC route-map OSPF_CONNECTED permit 10 match ip address prefix-list OSPF_CONNECTED ! router ospf 1 network 203.0.113.0 255.255.255.0 area 0 log-adj-changes redistribute connected metric 1 metric-type 1 subnets route-map OSPF_CONNECTED redistribute static metric 1 subnets route-map OSPF_STATIC OSPF configuration after the upgrade (the prefix lists were removed from the route maps): prefix-list OSPF_CONNECTED seq 10 permit 192.0.2.0/24 prefix-list OSPF_STATIC seq 10 permit 198.51.100.0/24 ! route-map OSPF_STATIC permit 10 <--- empty route-map OSPF_CONNECTED permit 10 <--- empty ! router ospf 1 network 203.0.113.0 255.255.255.0 area 0 log-adj-changes redistribute connected metric 1 metric-type 1 subnets route-map OSPF_CONNECTED redistribute static metric 1 subnets route-map OSPF_STATIC In the case of FTD, in the FMC UI, the configuration will be present, and if the user tries to redeploy the commands the deployment is successful. Nevertheless, the deployment transcript shows that the commands are not deployed: =========SNORT APPLY========= ========= CLI APPLY ========= ... FMC >> route-map OSPF_STATIC permit 10 FMC >> match ip address prefix-list OSPF_STATIC firewall >> [info] : Match IP prefix-list in the route map is not supported for OSPF FMC >> router ospf 1 FMC >> redistribute connected metric 1 subnets route-map OSPF_CONNECTED firewall >> [info] : Routemap ip prefix-list match is not supported for OSPF On ASA, once the device boots after the upgrade, messages like the following can be seen: Reading from flash... !!!.ERROR: Routemap ip prefix-list match is not supported for OSPF *** Output from config line 180, " redistribute connected ..." ERROR: Routemap ip prefix-list match is not supported for OSPF *** Output from config line 181, " redistribute static met..."
OSPF redistribution that uses a route-map with a prefix-list
Configure an access-list instead of the prefix-list, e.g.: access-list OSPF_STATIC_ACL standard permit 198.51.100.0 255.255.255.0 ! route-map OSPF_STATIC2 permit 10 match ip address OSPF_STATIC_ACL ! router ospf 1 network 203.0.113.0 255.255.255.0 area 0 log-adj-changes redistribute static metric 1 subnets route-map OSPF_STATIC2 Similarly, for redistribute connected.
Note: Hotfix BJ 7.2.5.1-1 is NOT affected by this defect. Hotfix BJ is installed on top of 7.2.5 and it only contains fixes for CSCwh23100, CSCwh45108.