To participate in this event, please use the button below to ask your questions
Ask questions from Thursday, August 20 to Friday, August 28 2020
For more information, visit the Network Security category.
We have recently migrated from ASA to FTD(9300 SM56) and we use FMC 4600.
After the migration, we are now facing rule-base capacity related issues. We just have 18K odd rules. The system does not allow adding more rules. We did not have this problem while we were on ASA. The error is
"Rule validation failed due to insufficient resources causing deployment failure. Please consider reducing the rule set..." In the troubleshooting details, it shows that the process stops at "FWRuleChecker validation..." with an error "Failed to parse identity rules file - 153".
Can you please through some light on this? We did not have any issues during or immediately after migration but this issue cropped up after a while. Sorry, my question may not be exactly on the migration tool but related to ASA-FTD migration and hope, you'll help me in giving some direction. Where can I find the capacity limits for FTD platform and FMC appliance?
Thanks much in advance!
@shritriv Hi Shrinad,
Sorry for my delayed response. Here is the output that you asked for:
access-list CSM_FW_ACL_; 683042 elements; name hash: 0x4a69e3f3
So, the count of 683K should be much lesser than the 6M limit that this platform can handle?
What else can we check with this, please?
Thanks for your attention!
The number of ACE's on both FTD and ASA are definitely less than the supported number on this platform.
This issue can be due to other factors like available memory on the device etc.
I would suggest to open a TAC case and get this troubleshot.
Thanks Aditya. The TAC case was already there and it is not helping much. It's not going in the right direction.
The push from TAC is still to optimize the rules. While that can be done, it should not prevent new rules being added.
Nevertheless, thanks for your confirmation!