Solved: ASA 5520 getting below error while getting replication from prim

mphasis infosec · ‎04-17-2013

Hi

I have configured the primary firewall every thing seem to be fine, And we have configured failover device while config is getting replicated to the failover device we are getting below error.

ERROR: Cannot add policy to rule engine

ERROR: Unable to assign access-list Lan_out to interface inside

IOS and Model are same.But all the config got replicated from primary to secondary but except the one access group command.

access-group Lan_out in interface inside

Thanks

Diwa

Jouni Forss · ‎04-17-2013

The first thing mentioned when searching information about the error message hints to a situation where there is not enough memory for the ACL configuration.

I think from some software level onwards the ASAs could actually be of different RAM setup.

Is it possible that the ASAs have different amount of RAM?

You could use "show version" on both units to confirm the RAM setup of each ASA.

- Jouni

View solution in original post

Jouni Forss · ‎04-17-2013

Hi,

Havent faced this issue myself so this is just a pure guess.

Is there a chance that someone has been configuring the Secondary firewall and changed the "inside" interface "nameif" to something else?

You could confirm this directly logging into the secondary unit and issuing the command "show run interface"

Somehow I think though that this might be something else.

- Jouni

mphasis infosec · ‎04-17-2013

Hi Jouni,

We have verified already and i have logged-in double checked in seconday firewall nameif inside, which is same as primary.

-Diwa

Jouni Forss · ‎04-17-2013

Hi,

Have you taken "show run" output from both units and compared them with for example Microsoft Word or some other program to see if there is anything different?

Could there be some issue with memory?

Is this some Failover setup that has been working before this issue? Or have you just added the secondary unit and you encountered the problem before the setup even got working?

Only sync/replication problem I have had with ASA A/S Failover was when the Sync got stuck and wouldnt go through. I ended up removing the Standby unit from the network. Erased its configuration and only configured the configurations required by the Failover and then the Configuration Sync went through without problems.

Again these are just guesses and suggestions. I am not sure what the problem might be

- Jouni

Jouni Forss · ‎04-17-2013

The first thing mentioned when searching information about the error message hints to a situation where there is not enough memory for the ACL configuration.

I think from some software level onwards the ASAs could actually be of different RAM setup.

Is it possible that the ASAs have different amount of RAM?

You could use "show version" on both units to confirm the RAM setup of each ASA.

- Jouni

mphasis infosec · ‎04-17-2013

Hi

I have compared primary & secondary unit running config using compare tool.

Every thing is identical except the one command is missing from the seconday access-group Lan_out in interface inside

Changes which we are doing in the primary getting replicated without issue and also sh failover state say

Sync Done - STANDBY

But we found the RAM in primary unit 2 Gb & in secondary is 1 GB.

We are planning to erase the config and replicate once again with the primary unit.

- Diwa

Jouni Forss · ‎04-17-2013

Hi,

If you have complicated ACLs which for example use "object-group" I imagine the ACLs grow very large and consume a lot of memory. Also other configurations which use the ACLs might be a cause.

You could check what is the memory status on the Primary unit which has more RAM

Use the command

show memory usage

- Jouni

mphasis infosec · ‎04-17-2013

By giving below cmd

show memory

Free memory: 1465222416 bytes (68%)

Used memory: 682261232 bytes (32%)

We dont have option show mem usage.

ASA 5520 getting below error while getting replication from primary firewall