[9.191][CLOSED]Cant disable Cisco VPN

Hi,

I can't reproduce your problem on my Windows 7 with Firefox and IE11 (9.192).
Can you please clear your cache and check if the problem happens again? [:)]

Clearing cache did not make a difference.

I did see that if I click apply without changing any settings I get the following error.  I wonder if this is related to it not disabling.

"The Cisco VPN client connection object needs firewall objects for the outgoing auto-packetfilter rule attribute. "

Hi, 
can you please attach the confd-debug.log or the confd.log in your next post?
It seems that there is a problem with your packetfilter rules.

Maybe it helps if you remove the "Automatic Firewall rules" checkbox.
Save your changes and then add it again and save it.

It pops up the same error when I try to remove auto packet filter rules and doesn't disable it as well.  Basically I cant make any changes to the cisco vpn that will save.  That error pops up no matter what I do.

I will post log later.

Here is the pertinent conf.d log :

2014:01:17-11:28:18 nlphome confd[8577]:  id="3100" severity="warn" sys="System" sub="confd" name="OBJECT_OBJECT_BADREF (The Cisco VPN client connection object needs firewall objects for the outgoing auto-packetfilter rule attribute.)" class="ipsec_connection" type="roadwarrior_cisco" ref="REF_sFZxkudUZB" attr="auto_pf_out" user="admin" srcip="***.***.***.***" facility="webadmin" client="webadmin.plx" call="change_object" check="input" badref="REF_GCyXsRNzHm" goodclass="packetfilter"
2014:01:17-11:28:28 nlphome confd[8577]:  id="3100" severity="warn" sys="System" sub="confd" name="OBJECT_OBJECT_BADREF (The Cisco VPN client connection object needs firewall objects for the outgoing auto-packetfilter rule attribute.)" class="ipsec_connection" type="roadwarrior_cisco" ref="REF_sFZxkudUZB" attr="auto_pf_out" user="admin" srcip="***.***.***.***" facility="webadmin" client="webadmin.plx" call="set_object" check="input" badref="REF_GCyXsRNzHm" goodclass="packetfilter"
2014:01:17-11:28:30 nlphome confd[8577]:  id="3100" severity="warn" sys="System" sub="confd" name="OBJECT_OBJECT_BADREF (The Cisco VPN client connection object needs firewall objects for the outgoing auto-packetfilter rule attribute.)" class="ipsec_connection" type="roadwarrior_cisco" ref="REF_sFZxkudUZB" attr="auto_pf_out" user="admin" srcip="***.***.***.***" facility="webadmin" client="webadmin.plx" call="set_object" check="input" badref="REF_GCyXsRNzHm" goodclass="packetfilter"

I looked up the badref REF_GCyXsRNzHm and it does not exist in the configuration database.

And here is the confd-debug log:

2014:01:17-11:28:18 UTM confd[8577]: D sys::AUTOLOAD:301() => id="3100" severity="debug" sys="System" sub="confd" name="external call" user="admin" srcip="***.***.***.***" facility="webadmin" client="webadmin.plx" lock="none" method="get_cisco_object_or_default"

2014:01:17-11:28:18 UTM confd[8577]: D sys::AUTOLOAD:301() => id="3100" severity="debug" sys="System" sub="confd" name="internal call" user="admin" srcip="***.***.***.***" facility="webadmin" client="webadmin.plx" call="get_cisco_object_or_default" lock="none" method="get"

2014:01:17-11:28:18 UTM confd[8577]: D sys::AUTOLOAD:301() => id="3100" severity="debug" sys="System" sub="confd" name="internal call" user="admin" srcip="***.***.***.***" facility="webadmin" client="webadmin.plx" call="get_cisco_object_or_default" lock="none" method="get_object"

2014:01:17-11:28:18 UTM confd[8577]: D Storage::lock:185() => id="3100" severity="debug" sys="System" sub="confd" name="locked storage" user="admin" srcip="***.***.***.***" facility="webadmin" client="webadmin.plx" storage="/cfg"

2014:01:17-11:28:18 UTM confd[8577]: D sys::AUTOLOAD:301() => id="3100" severity="debug" sys="System" sub="confd" name="external call" user="admin" srcip="***.***.***.***" facility="webadmin" client="webadmin.plx" lock="auto" method="change_object"

2014:01:17-11:28:18 UTM confd[8577]: >=========================================================================

2014:01:17-11:28:18 UTM confd[8577]: D Object::set_object:1136() => id="3100" severity="debug" sys="System" sub="confd" name="set_object" user="admin" srcip="***.***.***.***" facility="webadmin" client="webadmin.plx" call="change_object" object="$VAR1 = {

2014:01:17-11:28:18 UTM confd[8577]:           'ref' => 'REF_sFZxkudUZB',

2014:01:17-11:28:18 UTM confd[8577]:           'lock' => '',

2014:01:17-11:28:18 UTM confd[8577]:           'autoname' => 1,

2014:01:17-11:28:18 UTM confd[8577]:           'hidden' => 0,

2014:01:17-11:28:18 UTM confd[8577]:           'type' => 'roadwarrior_cisco',

2014:01:17-11:28:18 UTM confd[8577]:           'class' => 'ipsec_connection',

2014:01:17-11:28:18 UTM confd[8577]:           'data' => {

2014:01:17-11:28:18 UTM confd[8577]:                       'status' => 0,

2014:01:17-11:28:18 UTM confd[8577]:                       'certificate' => 'REF_eMuXPAUsTo',

2014:01:17-11:28:18 UTM confd[8577]:                       'iphone_ondemand_enabled' => 0,

2014:01:17-11:28:18 UTM confd[8577]:                       'auto_pf_out' => 'REF_GCyXsRNzHm',

2014:01:17-11:28:18 UTM confd[8577]:                       'aaa' => [

2014:01:17-11:28:18 UTM confd[8577]:                                  'REF_rMwITjdISa'

2014:01:17-11:28:18 UTM confd[8577]:                                ],

2014:01:17-11:28:18 UTM confd[8577]:                       'interface' => 'REF_NmErvDwQkB',

2014:01:17-11:28:18 UTM confd[8577]:                       'ip_assignment_pool' => 'REF_DefaultCiscoRWPool',

2014:01:17-11:28:18 UTM confd[8577]:                       'iphone_ondemand_domains' => [],

2014:01:17-11:28:18 UTM confd[8577]:                       'auto_pfrule' => 1,

2014:01:17-11:28:18 UTM confd[8577]:                       'iphone_hostname' => 'HOSTNAME',

2014:01:17-11:28:18 UTM confd[8577]:                       'auto_pf_in' => 'REF_qKwNRistpY',

2014:01:17-11:28:18 UTM confd[8577]:                       'name' => 'for User to Internal (Network)',

2014:01:17-11:28:18 UTM confd[8577]:                       'networks' => [

2014:01:17-11:28:18 UTM confd[8577]:                                       'REF_cpWdncLlma'

2014:01:17-11:28:18 UTM confd[8577]:                                     ],

2014:01:17-11:28:18 UTM confd[8577]:                       'iphone_ondemand_type' => 'OnDemandMatchDomainsOnRetry',

2014:01:17-11:28:18 UTM confd[8577]:                       'iphone_connection_name' => 'CISCO VPN NAME',

2014:01:17-11:28:18 UTM confd[8577]:                       'comment' => '',

2014:01:17-11:28:18 UTM confd[8577]:                       'iphone_status' => 1

2014:01:17-11:28:18 UTM confd[8577]:                     },

2014:01:17-11:28:18 UTM confd[8577]:           'nodel' => ''

2014:01:17-11:28:18 UTM confd[8577]:         };" external="1"

2014:01:17-11:28:18 UTM confd[8577]:  id="3100" severity="warn" sys="System" sub="confd" name="OBJECT_OBJECT_BADREF (The Cisco VPN client connection object needs firewall objects for the outgoing auto-packetfilter rule attribute.)" class="ipsec_connection" type="roadwarrior_cisco" ref="REF_sFZxkudUZB" attr="auto_pf_out" user="admin" srcip="***.***.***.***" facility="webadmin" client="webadmin.plx" call="change_object" check="input" badref="REF_GCyXsRNzHm" goodclass="packetfilter"

2014:01:17-11:28:18 UTM confd[8577]: D Storage::unlock:289() => id="3100" severity="debug" sys="System" sub="confd" name="discarded changes and released lock" user="admin" srcip="***.***.***.***" facility="webadmin" client="webadmin.plx" storage="/cfg"

2014:01:17-11:28:18 UTM confd[8577]: D Storage::update:88() => id="3108" severity="debug" sys="System" sub="confd" name="reloading storage" user="admin" srcip="***.***.***.***" facility="webadmin" client="webadmin.plx" version="4740" storage="/cfg"

2014:01:17-11:28:18 UTM confd[8577]: D sys::AUTOLOAD:301() => id="3100" severity="debug" sys="System" sub="confd" name="external call" user="admin" srcip="***.***.***.***" facility="webadmin" client="webadmin.plx" lock="none" method="get_object"

2014:01:17-11:28:18 UTM confd[8577]: D sys::AUTOLOAD:301() => id="3100" severity="debug" sys="System" sub="confd" name="external call" user="admin" srcip="***.***.***.***" facility="webadmin" client="webadmin.plx" lock="none" method="may"

2014:01:17-11:28:18 UTM confd[8577]: D sys::AUTOLOAD:301() => id="3100" severity="debug" sys="System" sub="confd" name="external call" user="admin" srcip="***.***.***.***" facility="webadmin" client="webadmin.plx" lock="none" method="wait_for_update"

2014:01:17-11:28:18 UTM confd[8577]: D Storage::update:88() => id="3108" severity="debug" sys="System" sub="confd" name="reloading storage" user="admin" srcip="***.***.***.***" facility="webadmin" client="webadmin.plx" call="wait_for_update" version="4740" storage="/cfg"

2014:01:17-11:28:18 UTM confd[8577]: D sys::AUTOLOAD:301() => id="3100" severity="debug" sys="System" sub="confd" name="external call" user="admin" srcip="***.***.***.***" facility="webadmin" client="webadmin.plx" lock="none" method="freeze"

2014:01:17-11:28:18 UTM confd[8577]: D sys::AUTOLOAD:301() => id="3100" severity="debug" sys="System" sub="confd" name="external call" user="admin" srcip="***.***.***.***" facility="webadmin" client="webadmin.plx" lock="none" method="get_version"

2014:01:17-11:28:18 UTM confd[8577]: D sys::AUTOLOAD:301() => id="3100" severity="debug" sys="System" sub="confd" name="external call" user="admin" srcip="***.***.***.***" facility="webadmin" client="webadmin.plx" lock="none" method="thaw"

2014:01:17-11:28:18 UTM confd[8577]: D sys::AUTOLOAD:301() => id="3100" severity="debug" sys="System" sub="confd" name="external call" user="admin" srcip="***.***.***.***" facility="webadmin" client="webadmin.plx" lock="none" method="list_sessions"

2014:01:17-11:28:18 UTM confd[8577]: D sys::AUTOLOAD:301() => id="3100" severity="debug" sys="System" sub="confd" name="external call" user="admin" srcip="***.***.***.***" facility="webadmin" client="webadmin.plx" lock="none" method="list_sessions"

I looked up the badref REF_GCyXsRNzHm and it does not exist in the configuration database.

Hi Nathan,

Did u install the ISO via an up2date? We are trying to find the route cause of the missing reference, but we could not reproduce this issue. From when do you have this problem? 
Meanwhile, can you please try creating the reference manually (its a workaround)? Steps:
1) Via SSH, create a file (e.g. named "autopfout") 
2) In the file add the following content:
{
  'class' => 'packetfilter',
  'type' => 'packetfilter',
  'ref' => 'REF_GCyXsRNzHm',
  'data' => {
    'action' => 'accept',
    'auto' => 1,
    'auto_type' => 'ipsec',
    'destinations' => ['REF_rMwITjdISa'],
    'direction' => 'out',
    'services' => ['REF_ServiceAny'],
    'sources' => ['REF_cpWdncLlma'],
    'status' => 1,
  },
} 
3) Create the Object from that file with the REF_GCyXsRNzHm refrence, by running this command:
cc -noquote -stdin set_object 

I did an up2date to the beta version from version 9.106.

This config has been in there since late Version 7 or early Version 8.  I never use it and happened to see it while I was doing some tuning with the beta.  That's when I noticed I couldn't disable it.

I made the file and ran the command you said and got the following out put :

cc -noquote -stdin set_object  [

                        'class',

                        'type',

                        'attr'

                      ],

          'Cattrs' => [

                        'goodclass',

                        'badclass'

                      ],

          'Oattrs' => [

                        'class',

                        'type'

                      ],

          'attr' => 'destinations',

          'attrs' => [],

          'badclass' => 'aaa',

          'badref' => 'REF_rMwITjdISa',

          'check' => 'input',

          'class' => 'packetfilter',

          'fatal' => 0,

          'format' => 'The %_O object needs %_C, not %_C objects for the %_A attribute.',

          'goodclass' => 'network',

          'msgtype' => 'OBJECT_OBJECT_CLASS',

          'name' => 'The firewall rule object needs network, not user and group objects for the destinations attribute.',

          'never_hide' => 0,

          'ref' => 'REF_GCyXsRNzHm',

          'type' => 'packetfilter'

        }

{

          'attr' => 'destinations',

          'attrs' => [

                       'number',

                       'remove'

                     ],

          'check' => 'input',

          'class' => 'packetfilter',

          'fatal' => undef,

          'format' => 'Removing %d invalid element(s) \'%s\' from the list.',

          'msgtype' => 'DATATYPE_ARRAY_ELEMENT',

          'name' => 'Removing 1 invalid element(s) \'REF_rMwITjdISa\' from the list.',

          'never_fatal' => 1,

          'never_hide' => 0,

          'number' => 1,

          'ref' => 'REF_GCyXsRNzHm',

          'remove' => 'REF_rMwITjdISa',

          'type' => 'packetfilter'

        }

{

          'Aattrs' => [

                        'class',

                        'type',

                        'attr'

                      ],

          'Oattrs' => [

                        'class',

                        'type'

                      ],

          'attr' => 'destinations',

          'attrs' => [],

          'class' => 'packetfilter',

          'fatal' => 1,

          'format' => 'The %_O object may not have an empty %_A attribute.',

          'msgtype' => 'OBJECT_EMPTY',

          'name' => 'The firewall rule object may not have an empty destinations attribute.',

          'never_hide' => 0,

          'ref' => 'REF_GCyXsRNzHm',

          'type' => 'packetfilter'

        }

The reference still doesn't show up in the config database probably due to the errors above.

Hi Nathan,

I will mail u on the email address u used for this account, so we can establish a remote session.

Thanks
Bianca

Did you get my secure email I sent you with the login info?  Have you been able to remote into my box yet?

Did you get my secure email I sent you with the login info?  Have you been able to remote into my box yet?

Hi Nathan,

We logged on your box. From logs, we saw that the object was removed since July after an up2date from 9.102 to 9.103. Thats when the error kicked in.
Will talk to Erkan how to fix this. 
Keep u posted.
Thanks a lot.
Bianca