Access Control Policy apply failed (Unable to retrieve running Intrusion Policy data from device/sen...

Austin Clark · ‎09-09-2015

I'm receiving this message when trying to apply intrusion policy to device which is a ASA SFR Module on a 5512x. Also unable to apply any other policy from the defense center.

This happened shortly after upgrading both the defense center and the sensor.

The sensor is at v5.4.0 (build 763)

The VM Defense center is at 5.4.1.1

I'm just stuck. I've tried restarting both. Just unable to push any kind of config to the sensor.

Austin Clark · ‎09-09-2015

The build of the defense center is (33). Forgot that part.

Austin Clark · ‎09-10-2015

Something bad happened during the upgrade process. Regardless, I recovered the sensor and all is well.

dariusz.wieckowski · ‎11-16-2015

How did you recover?

Austin Clark · ‎11-16-2015

I unistalled the SFR module and re-intalled using the 5.4 version.

enidvallja · ‎07-11-2018

I had this problem several times now during two years I've been working with cisco devices, and I always solved this issue by removing some rules from the Access Control Policy. It has a limited number of rules that if exceeded does not allow the policy to be applied. The formula of the total number is this:

General Formula for Rule Expansion:

Number of rules on sensor = (Number of Source Subnets or hosts) * (Number of Destination S) * (Number of Source Ports) * (Number of Destination Ports) * (Number of Custom URLs)* (Number of VLAN Tags)* (Number of URL Categories)*( Number of valid source and destination zone pairs)

If some of these fields have the value as "ANY" substitute it as 1 for calculation. Also, if the URL field has predefined category it would be counted as 1. Here is the article which can explain it more properly.

https://www.cisco.com/c/en/us/support/docs/security/firepower-ngfw/200522-Understand-the-Rule-Expansion-on-FirePOW.html

Access Control Policy apply failed (Unable to retrieve running Intrusion Policy data from device/sensor)