Buy or Renew
Buy or Renew
Duo Security forums now LIVE! Get answers to all your Duo Security questions. Learn more
cancel
Turn on suggestions
Auto-suggest helps you quickly narrow down your search results by suggesting possible matches as you type.
Showing results for 
Search instead for 
Did you mean: 
cancel
Start a conversation
759
Views
10
Helpful
2
Replies

Cisco FPR 9300 SM56 and FMC 4600 w/ 6.6.0 version - capacity details

krishna.yadavalli
Level 1
Level 1

‎08-24-2020 03:52 AM

Hello,

 

We are using FPR-9300 w/ FMC 4600, both FMC and FTD running the 6.6.0 version image.

 

We are getting the following error, while adding new rules:

"Rule validation failed due to insufficient resources causing deployment failure. Please consider reducing the rule set..."

In the troubleshooting details, it shows that the process stops at "FWRuleChecker validation..." with an error "Failed to parse identity rules file - 153".

 

We are able to add rules, after removing some unused/redundant rules but I don't think, this can go on (some rules may have to be put back when needed).

 

We have ~600K objects and 18K rules which I believe is way below the capacity that this platform can support.

 

Can someone please help with the capacity limits for this device in terms of rule/object counts or any other metrics? The datasheets talk about performance throughput and some other numbers like concurrent sessions but not the rule base size that I can map with this error.

Thanks in advance, for your help!

 

Regards,

Krishna

0 Helpful
2 Replies 2

Marvin Rhoads
Hall of Fame
Hall of Fame

‎08-25-2020 11:37 PM - edited ‎08-26-2020 10:17 AM

Please check the number of elements resulting from the combinations of your ACL entries and the objects they reference.You can do this from the cli with:

show access-list | include elements

While there's not a hardcoded limit, the Firepower 9300 with SM-56 should be able to accommodate up to 6,000,000 elements.

Reference: https://www.ciscolive.com/c/dam/r/ciscolive/emea/docs/2020/pdf/BRKSEC-3455.pdf (pages 26-27)

Mohammed al Baqari
Level 11
Level 11

‎08-26-2020 12:47 AM

I faced something similar. The first suggestion is to remove all range
objects and replace them with subnets (you can use multiples of small
masks).

I had a discussion with couple of Cisco SEs and experimented this and can
confirm that Range Objects take from Global Shared Pool and they
overwhelm the memory fast.

Second use the command show access-list | count to see the number of ACLs.
You might be surprised that inefficient rules/objects can generate millions
of ACLs when they are expanded and deployed. Remember that objects are
expanded when they are stored in ASA memory,

**** please remember to rate useful posts
Customers Also Viewed These Support Documents
Review Cisco Networking products for a $25 gift card