Buy or Renew
Buy or Renew
cancel
Turn on suggestions
Auto-suggest helps you quickly narrow down your search results by suggesting possible matches as you type.
Showing results for 
Search instead for 
Did you mean: 
cancel
Start a conversation
943
Views
0
Helpful
4
Replies

Firewall Response is very slow while applying ACL

Ganesan Palaniappan
Level 1
Level 1

‎11-28-2012 10:25 PM - edited ‎03-11-2019 05:29 PM

Hi Friends,

A Very funny and peculiar issue i am facing in one of the Firewall recently and i am not sure about the root cause.

Here is the Scanerio:

I am managing a firewall over remotely in my LAN itself. I started a continous ping to the Firewall IP and the response is less than 1 ms.

While applying some access control list to the firewall via putty ...Suddenly the latency is going hing and it is hitting xxxx ms. And also the acl are getting pasted on the screen by word by word. Sometimes i used to get some RTO for the Firewall IP Address inth eping response.

Why it is happening and what is the root cause for this.

Please find the Firewall Version:

Cisco ASA 5510

Version : 7.2

Having more than 600 ACL's.

Regards,

Gan

Labels:
0 Helpful
4 Replies 4

Jouni Forss
VIP Alumni
VIP Alumni

‎11-29-2012 12:39 AM

Hi,

Do you mean that you actually have 600 different access-lists or is that the amount of ACL lines (ACEs) ?

If thats the amount of actual access-lists I'd imagine you might be running into problems with the devices resources.

I have never personally had this situation with ASAs

On FWSM side I have run intoa situation where customer had such a large amount of access-list (very specific rules built) that the FWSM resources hit the cap assigned to the customer firewall.

- Jouni

0 Helpful

Ganesan Palaniappan
Level 1
Level 1
In response to Jouni Forss

‎11-29-2012 03:31 AM

Hi,

I am having 600 ACE's. Is there any limitations on the number of ACE's we should have in ASA.

Regards,

Gan

0 Helpful

Jouni Forss
VIP Alumni
VIP Alumni
In response to Ganesan Palaniappan

‎11-29-2012 03:56 AM

Hi,

I'm not sure if theres any information available regarding that. I guess it depends just how much memory your ASA has. Dont think there is any other limit regarding ACLs on ASA.

But I'm not the best person to answer about this.

I don't think 600 lines of ACL should be any problem though.

Only similiar thing I have expirienced is with Cisco FWSM when configuring access-list lines to them. The management connections seems to slow down abit at those times.

Maybe some Cisco employee could answer your question if they happen to check this topic out.

I guess in the meanwhile you could check your memory usage on the ASA

"show memory"

I guess some of the commands I had in mind are only used when the ASA is in multiple context mode.

- Jouni

0 Helpful

lukedp
Level 1
Level 1

‎11-29-2012 04:46 AM

Hi Ganesan,

1st Check you memory with a show memory command

2nd Check your order of your ACL/ACE's

3rd see if you can try and reduce the amount of ACL/ACE's or use some smarts arounf they way they are written.

0 Helpful
Customers Also Viewed These Support Documents
Review Cisco Networking for a $25 gift card