BugZero | Cisco BugID CSCwf96938 - FMC: ACP Rule with UDP port 6081 is getting remove...

Cisco - Defect ID: CSCwf96938

FMC: ACP Rule with UDP port 6081 is getting removed after subsequent deployment

Cisco - Defect ID: CSCwf96938

FMC: ACP Rule with UDP port 6081 is getting removed after subsequent deployment

Last updated on 4/23/2025

Overall: 7.87.8

Severity: 8.28.2

Lifecycle: 9.19.1

Popularity: 4.64.6

What is the BugZero Risk Score?

Vendor details

No defect details.

Overall: 7.87.8

Severity: 8.28.2

Lifecycle: 9.19.1

Popularity: 4.64.6

What is the BugZero Risk Score?

Vendor details

No defect details.

Symptom

FMC is seen to remove rule with UDP port 6081 is removed after deployment(unrelated changes). Snip of FMC transcript: FMC >> access-list CSM_FW_ACL_ line 14 advanced permit udp ifc inside object-group FMC_INLINE_src_rule_268434453 ifc outside any eq 6081 rule-id 268434453 FMC >> no access-list CSM_FW_ACL_ advanced permit udp ifc inside object-group FMC_INLINE_src_rule_268434453 ifc outside any eq geneve rule-id 268434453 Rule before deployment: access-list CSM_FW_ACL_ remark rule-id 268434453: ACCESS POLICY: bom-copy - Mandatory access-list CSM_FW_ACL_ remark rule-id 268434453: L7 RULE: ruleone access-list CSM_FW_ACL_ advanced permit tcp ifc inside object-group FMC_INLINE_src_rule_268434453 ifc outside any object-group FTP rule-id 268434453 access-list CSM_FW_ACL_ advanced permit udp ifc inside object-group FMC_INLINE_src_rule_268434453 ifc outside any eq geneve rule-id 268434453 Rule after deployment: //line with geneve removed access-list CSM_FW_ACL_ remark rule-id 268434453: ACCESS POLICY: bom-copy - Mandatory access-list CSM_FW_ACL_ remark rule-id 268434453: L7 RULE: ruleone access-list CSM_FW_ACL_ advanced permit tcp ifc inside object-group FMC_INLINE_src_rule_268434453 ifc outside any object-group FTP rule-id 268434453

Conditions

FTD and FMC 7.2.4

Workaround

Create a custom port object for udp 6081 and refer the same to the required rules instead of directly adding udp/6081. Example Lina(After deployment): ++ Port object object-group service custom-geneve udp port-object eq geneve ++ Access-list access-list CSM_FW_ACL_ remark rule-id 268434453: ACCESS POLICY: bom-copy - Mandatory access-list CSM_FW_ACL_ remark rule-id 268434453: L7 RULE: ruleone access-list CSM_FW_ACL_ advanced permit tcp ifc inside object-group FMC_INLINE_src_rule_268434453 ifc outside any object-group FTP rule-id 268434453 access-list CSM_FW_ACL_ advanced permit udp ifc inside object-group FMC_INLINE_src_rule_268434453 ifc outside any object-group custom-geneve rule-id 268434453

Further Problem Description

None

Original Vendor Announcement

9.65Defect ID: CSCwf08698
Cat9k Crashes Unexpectedly due to a Fault in the 'TLSCLIENT_PROCESS'
9.65Defect ID: CSCwh87343
Cisco IOS XE Software Web UI Privilege Escalation Vulnerability
9.65Defect ID: CSCvd48893
Cisco IOS and IOS XE Software Cluster Management Protocol Remote Code Execution Vulnerability
9.65Defect ID: CSCvx82406
Memory leaks in IOS_PRIV_OPER_DB
9.65Defect ID: CSCvx32806
Access Points stuck in bootloop due to image checksum verification failed

Ready to prevent the next vendor outage?

Get a demo

OPERATIONAL DEFECT DATABASE

Cisco - Defect ID: CSCwf96938

FMC: ACP Rule with UDP port 6081 is getting removed after subsequent deployment

Cisco - Defect ID: CSCwf96938

FMC: ACP Rule with UDP port 6081 is getting removed after subsequent deployment

Last updated on 4/23/2025

Vendor details

Vendor details

Description

Symptom

Conditions

Workaround

Further Problem Description

Links

Top Cisco defects by risk score

Ready to prevent the next vendor outage?