Solved: Re: Cisco FWSM Error

vinovinom · ‎04-04-2011

Hi Guys

I am having a problem inserting rules into my Cisco FWSM using ASDM(as well as CLI). When trying to add rules I am getting the error " UNABLE TO ADD, ACCESS-LIST CONFIG LIMIT REACHED (rc=0xc010)". I had tried checking the show resource commands and show resource acl-partitions gives me output for the context that I am having problem with as

partition #:

Mode: non-exclusive

List of Contexts: <Context name>

Number of Contexts: 1 (Ref Count:1)

Number of rules:10743 (Max:14173)

My Scenario:

Running FWSM in multiple context mode. (Version - 3.2(15))

ASDM Version - 6.1(5)F

Running in Active-Failover Scenario.

Your reply is much appreciated.

Regards

Vinoth D

mirober2 · ‎04-04-2011

Hi Vinoth,

Take a look at this document, specifically at the "ACL Partition Optimization" section:

https://supportforums.cisco.com/docs/DOC-13189

That section will explain how to adjust the size of the ACL partitions if you are not able to optimize the ACL configuration for the affected context. Let us know if you have specific questions about anything the document isn't clear on.

Hope that helps.

-Mike

View solution in original post

mirober2 · ‎04-04-2011

Hi Vinoth,

Take a look at this document, specifically at the "ACL Partition Optimization" section:

https://supportforums.cisco.com/docs/DOC-13189

That section will explain how to adjust the size of the ACL partitions if you are not able to optimize the ACL configuration for the affected context. Let us know if you have specific questions about anything the document isn't clear on.

Hope that helps.

-Mike

vinovinom · ‎04-06-2011

Hi

Thanks for your reply. But I can see that there is a absolute value in the "show resource rule" output. What is the relation of this absolute value to the value from the output of the "show resource acl-partition" relate to?

Thanks

Vin

mirober2 · ‎04-06-2011

Hi Vin,

The output of 'show resource rule' will show you the maximum number of rules you can configure for each of the different types of rules in a single partition. This includes ACLs, but also includes things like NAT.

All of these rules added together give you the total number of "rules" you can configure in any particular partition, which is broken down per-partition and displayed in the output of 'show resource acl-partition'.

For example:

FWSM# show resource rule

Default Configured Absolute
CLS Rule     Limit      Limit      Max
-----------+---------+----------+---------
Policy NAT     384        384        833
ACL          14801      14801      14801
Filter         576        576       1152
Fixup         1537       1537       3074
Est Ctl         96         96         96
Est Data        96         96         96
AAA           1345       1345       2690
Console        384        384        768
-----------+---------+----------+---------
Total        19219      19219

Partition Limit - Configured Limit = Available to allocate
19219 - 19219 = 0

Here you see that the partition limit is 19219 rules. Of those, the limit for ACL rules is 14801. The overall partition limit of 19219 is what is displayed in 'show resource acl-partition':

FWSM# show resource acl-partition

Total number of configured partitions = 12
Partition #0
        Mode                    : non-exclusive
        List of Contexts        : admin
        Number of contexts      : 1(RefCount:1)
        Number of rules         : 0(Max:19219)
Partition #1
        Mode                    : non-exclusive
        List of Contexts        : ContextA
        Number of contexts      : 1(RefCount:1)
        Number of rules         : 40(Max:19219)
Partition #2
        Mode                    : non-exclusive
        List of Contexts        : ContextC
        Number of contexts      : 1(RefCount:1)
        Number of rules         : 35(Max:19219)
Partition #3
        Mode                    : non-exclusive
        List of Contexts        : ContextB
        Number of contexts      : 1(RefCount:1)
        Number of rules         : 36(Max:19219)
Partition #4
        Mode                    : non-exclusive
        List of Contexts        : ContextD
        Number of contexts      : 1(RefCount:1)
        Number of rules         : 35(Max:19219)
Partition #5
        Mode                    : non-exclusive
        List of Contexts        : none
        Number of contexts      : 0(RefCount:0)
        Number of rules         : 0(Max:19219)
Partition #6
        Mode                    : non-exclusive
        List of Contexts        : none
        Number of contexts      : 0(RefCount:0)
        Number of rules         : 0(Max:19219)
Partition #7
        Mode                    : non-exclusive
        List of Contexts        : none
        Number of contexts      : 0(RefCount:0)
        Number of rules         : 0(Max:19219)
Partition #8
        Mode                    : non-exclusive
        List of Contexts        : none
        Number of contexts      : 0(RefCount:0)
        Number of rules         : 0(Max:19219)
Partition #9
        Mode                    : non-exclusive
        List of Contexts        : none
        Number of contexts      : 0(RefCount:0)
        Number of rules         : 0(Max:19219)
Partition #10
        Mode                    : non-exclusive
        List of Contexts        : none
        Number of contexts      : 0(RefCount:0)
        Number of rules         : 0(Max:19219)
Partition #11
        Mode                    : non-exclusive
        List of Contexts        : none
        Number of contexts      : 0(RefCount:0)
        Number of rules         : 0(Max:19219)

Hope that helps.

-Mike

vinovinom · ‎04-06-2011

Mike

many thanks for your reply. In my case

Absolute Max value is 10633 for ACL

and in particular Partition:

Number of rules :10749(Max:14173)

This means that the particular context is overrun ACLs in the above the Absolute value ?

In this scenario I beleive we cannot tweak the partition settings to allow more for ACLs and borrow values from other rules.

Is re-partitioning the only option in this case? if so, what is the impact of it and are there any easy procedures to re-partition?

Many thanks

Vin

mirober2 · ‎04-07-2011

Hi Vin,

When you hit the max, you have a couple of options to choose from:

1. Simplify your ACL configuration so you have less rules
2. Resize the number of partitions you have
3. Upgrade the FWSM

For option #3, an upgrade to a 4.x code train will improve the efficiency of ACL partition space, so the ACL max values will increase slightly.

For option #2, it is a fairly straightforward process but does require a reload. In general, the less partitions you have the larger they will be (i.e. they can hold more ACLs). However, because the backup partition also grows in size, you end up wasting a lot of space on the blade as a whole because the backup partition is not usable by a context.

This guide will tell you the procedure for resizing the partitions, and will also discuss best practices for choosing the number of partitions based on how many contexts you have:

https://supportforums.cisco.com/docs/DOC-13189

-Mike