cancel
Showing results for 
Search instead for 
Did you mean: 
cancel
Announcements

337
Views
10
Helpful
2
Replies
Highlighted

Cisco FPR 9300 SM56 and FMC 4600 w/ 6.6.0 version - capacity details

Hello,

 

We are using FPR-9300 w/ FMC 4600, both FMC and FTD running the 6.6.0 version image.

 

We are getting the following error, while adding new rules:

"Rule validation failed due to insufficient resources causing deployment failure. Please consider reducing the rule set..."

In the troubleshooting details, it shows that the process stops at "FWRuleChecker validation..." with an error "Failed to parse identity rules file - 153".

 

We are able to add rules, after removing some unused/redundant rules but I don't think, this can go on (some rules may have to be put back when needed).

 

We have ~600K objects and 18K rules which I believe is way below the capacity that this platform can support.

 

Can someone please help with the capacity limits for this device in terms of rule/object counts or any other metrics? The datasheets talk about performance throughput and some other numbers like concurrent sessions but not the rule base size that I can map with this error.

Thanks in advance, for your help!

 

Regards,

Krishna

2 REPLIES 2
Highlighted
Hall of Fame Guru

Please check the number of elements resulting from the combinations of your ACL entries and the objects they reference.You can do this from the cli with:

show access-list | include elements

While there's not a hardcoded limit, the Firepower 9300 with SM-56 should be able to accommodate up to 6,000,000 elements.

Reference: https://www.ciscolive.com/c/dam/r/ciscolive/emea/docs/2020/pdf/BRKSEC-3455.pdf (pages 26-27)

Highlighted
VIP Advisor

I faced something similar. The first suggestion is to remove all range
objects and replace them with subnets (you can use multiples of small
masks).

I had a discussion with couple of Cisco SEs and experimented this and can
confirm that Range Objects take from Global Shared Pool and they
overwhelm the memory fast.

Second use the command show access-list | count to see the number of ACLs.
You might be surprised that inefficient rules/objects can generate millions
of ACLs when they are expanded and deployed. Remember that objects are
expanded when they are stored in ASA memory,

**** please remember to rate useful posts
Content for Community-Ad