04-04-2011 01:08 AM - edited 03-11-2019 01:16 PM
Hi Guys
I am having a problem inserting rules into my Cisco FWSM using ASDM(as well as CLI). When trying to add rules I am getting the error " UNABLE TO ADD, ACCESS-LIST CONFIG LIMIT REACHED (rc=0xc010)". I had tried checking the show resource commands and show resource acl-partitions gives me output for the context that I am having problem with as
partition #:
Mode: non-exclusive
List of Contexts: <Context name>
Number of Contexts: 1 (Ref Count:1)
Number of rules:10743 (Max:14173)
My Scenario:
Running FWSM in multiple context mode. (Version - 3.2(15))
ASDM Version - 6.1(5)F
Running in Active-Failover Scenario.
Your reply is much appreciated.
Regards
Vinoth D
Solved! Go to Solution.
04-04-2011 06:02 AM
Hi Vinoth,
Take a look at this document, specifically at the "ACL Partition Optimization" section:
https://supportforums.cisco.com/docs/DOC-13189
That section will explain how to adjust the size of the ACL partitions if you are not able to optimize the ACL configuration for the affected context. Let us know if you have specific questions about anything the document isn't clear on.
Hope that helps.
-Mike
04-04-2011 06:02 AM
Hi Vinoth,
Take a look at this document, specifically at the "ACL Partition Optimization" section:
https://supportforums.cisco.com/docs/DOC-13189
That section will explain how to adjust the size of the ACL partitions if you are not able to optimize the ACL configuration for the affected context. Let us know if you have specific questions about anything the document isn't clear on.
Hope that helps.
-Mike
04-06-2011 04:18 AM
Hi
Thanks for your reply. But I can see that there is a absolute value in the "show resource rule" output. What is the relation of this absolute value to the value from the output of the "show resource acl-partition" relate to?
Thanks
Vin
04-06-2011 05:43 AM
Hi Vin,
The output of 'show resource rule' will show you the maximum number of rules you can configure for each of the different types of rules in a single partition. This includes ACLs, but also includes things like NAT.
All of these rules added together give you the total number of "rules" you can configure in any particular partition, which is broken down per-partition and displayed in the output of 'show resource acl-partition'.
For example:
FWSM# show resource rule
Default Configured Absolute
CLS Rule Limit Limit Max
-----------+---------+----------+---------
Policy NAT 384 384 833
ACL 14801 14801 14801
Filter 576 576 1152
Fixup 1537 1537 3074
Est Ctl 96 96 96
Est Data 96 96 96
AAA 1345 1345 2690
Console 384 384 768
-----------+---------+----------+---------
Total 19219 19219Partition Limit - Configured Limit = Available to allocate
19219 - 19219 = 0
Here you see that the partition limit is 19219 rules. Of those, the limit for ACL rules is 14801. The overall partition limit of 19219 is what is displayed in 'show resource acl-partition':
FWSM# show resource acl-partition
Total number of configured partitions = 12
Partition #0
Mode : non-exclusive
List of Contexts : admin
Number of contexts : 1(RefCount:1)
Number of rules : 0(Max:19219)
Partition #1
Mode : non-exclusive
List of Contexts : ContextA
Number of contexts : 1(RefCount:1)
Number of rules : 40(Max:19219)
Partition #2
Mode : non-exclusive
List of Contexts : ContextC
Number of contexts : 1(RefCount:1)
Number of rules : 35(Max:19219)
Partition #3
Mode : non-exclusive
List of Contexts : ContextB
Number of contexts : 1(RefCount:1)
Number of rules : 36(Max:19219)
Partition #4
Mode : non-exclusive
List of Contexts : ContextD
Number of contexts : 1(RefCount:1)
Number of rules : 35(Max:19219)
Partition #5
Mode : non-exclusive
List of Contexts : none
Number of contexts : 0(RefCount:0)
Number of rules : 0(Max:19219)
Partition #6
Mode : non-exclusive
List of Contexts : none
Number of contexts : 0(RefCount:0)
Number of rules : 0(Max:19219)
Partition #7
Mode : non-exclusive
List of Contexts : none
Number of contexts : 0(RefCount:0)
Number of rules : 0(Max:19219)
Partition #8
Mode : non-exclusive
List of Contexts : none
Number of contexts : 0(RefCount:0)
Number of rules : 0(Max:19219)
Partition #9
Mode : non-exclusive
List of Contexts : none
Number of contexts : 0(RefCount:0)
Number of rules : 0(Max:19219)
Partition #10
Mode : non-exclusive
List of Contexts : none
Number of contexts : 0(RefCount:0)
Number of rules : 0(Max:19219)
Partition #11
Mode : non-exclusive
List of Contexts : none
Number of contexts : 0(RefCount:0)
Number of rules : 0(Max:19219)
Hope that helps.
-Mike
04-06-2011 08:54 AM
Mike
many thanks for your reply. In my case
Absolute Max value is 10633 for ACL
and in particular Partition:
Number of rules :10749(Max:14173)
This means that the particular context is overrun ACLs in the above the Absolute value ?
In this scenario I beleive we cannot tweak the partition settings to allow more for ACLs and borrow values from other rules.
Is re-partitioning the only option in this case? if so, what is the impact of it and are there any easy procedures to re-partition?
Many thanks
Vin
04-07-2011 07:53 AM
Hi Vin,
When you hit the max, you have a couple of options to choose from:
1. Simplify your ACL configuration so you have less rules
2. Resize the number of partitions you have
3. Upgrade the FWSM
For option #3, an upgrade to a 4.x code train will improve the efficiency of ACL partition space, so the ACL max values will increase slightly.
For option #2, it is a fairly straightforward process but does require a reload. In general, the less partitions you have the larger they will be (i.e. they can hold more ACLs). However, because the backup partition also grows in size, you end up wasting a lot of space on the blade as a whole because the backup partition is not usable by a context.
This guide will tell you the procedure for resizing the partitions, and will also discuss best practices for choosing the number of partitions based on how many contexts you have:
https://supportforums.cisco.com/docs/DOC-13189
-Mike
Discover and save your favorite ideas. Come back to expert answers, step-by-step guides, recent topics, and more.
New here? Get started with these tips. How to use Community New member guide