topic Re: FTDs and ACE limit in Network Security

FTDs and ACE limit

hoffa2000 — Fri, 21 Feb 2020 17:43:28 GMT

I've previously had problems with 5512-Xs running ASA having an ACE limit of 100K. Is ACE a relevant limit for 5516-Xs running FTD 6.4.0.4? What about FTD 2110? I've read somewhere the limit is 200K for ASA 5516-X running ASA code but nothing specific for FTD 5516-X.

The reason I ask is because I recently have had issues with two sets of 5516-Xs having just above 220K ACE entries for the main global access list generated by the FMC in the ASA code. I didn't think much of it at the time of the incidents but I'm starting to wonder.

Regards

Fredrik

Re: FTDs and ACE limit

Marvin Rhoads — Thu, 28 Nov 2019 11:55:09 GMT

The recommended maximum AC Elements on ASA 5516-x running FTD is 125,000.

I don't have a number for Firepower 2110 but for 2120 it is 75,000

Re: FTDs and ACE limit

nspasov — Thu, 28 Nov 2019 17:04:56 GMT

What Marvin said. Also, I would recommend reaching out to TAC as they can help you validate if you are indeed starting to reach and exceed the recommended limits. In addition, there are ways you can optimize your rules which will in turn reduce your ACL elements.

I hope this helps!

Thank you for rating helpful posts!

Re: FTDs and ACE limit

askaerr — Thu, 30 Apr 2020 07:38:17 GMT

From Cisco Live BRKSEC-3455 (https://www.ciscolive.com/c/dam/r/ciscolive/emea/docs/2020/pdf/BRKSEC-3455.pdf): Max Recommended AC element count limit is 50k for FPR 2110.

Kr,