07-13-2010 01:00 AM - edited 03-11-2019 11:10 AM
Hi All,
i have FWSM with s/w 3.2(2). while i creating access list an error message appeared to me :
error message: "ERROR: Unable to add, access-list config limit reached"
this fwsm is single not multiple , i can't find the "resource acl-partition " command although it is found in the guide.
i want to know if this command applied only for multiple context? if yes , what the method that can i solve this problem in single fw.
Thanks
Solved! Go to Solution.
07-13-2010 06:47 AM
Ibrahim,
Yes - the 'resource acl-partition' is supported only in multi-context mode. When you look at the Command Reference Guide, you will see that there is a dot only under the 'System' context in the Multiple Context mode. This implies that the command is only available via the System context:
http://www.cisco.com/en/US/docs/security/fwsm/fwsm32/command/reference/qr.html#wp1622931
If you are seeing this issue on a single context FWSM, your only means of recourse are to reduce the number ACL entries that you have. This may be best accomplished by combining host access-lists entries into subnet entries. Any approach that you can use to make your access-lists "less specific" will oftentimes reduce the amount of resources that the ACL takes up.
Let us know if you have any further questions. If you have no further questions, please be sure to mark this topic as 'answered'.
Best Regards,
Kevin
07-13-2010 06:26 AM
You can do "show resource usage".
Or "sh access-list | i element".
You are probably close to the 3.2 ACL limit (75K).
I hope it helps.
PK
07-13-2010 06:47 AM
Ibrahim,
Yes - the 'resource acl-partition' is supported only in multi-context mode. When you look at the Command Reference Guide, you will see that there is a dot only under the 'System' context in the Multiple Context mode. This implies that the command is only available via the System context:
http://www.cisco.com/en/US/docs/security/fwsm/fwsm32/command/reference/qr.html#wp1622931
If you are seeing this issue on a single context FWSM, your only means of recourse are to reduce the number ACL entries that you have. This may be best accomplished by combining host access-lists entries into subnet entries. Any approach that you can use to make your access-lists "less specific" will oftentimes reduce the amount of resources that the ACL takes up.
Let us know if you have any further questions. If you have no further questions, please be sure to mark this topic as 'answered'.
Best Regards,
Kevin
01-16-2011 11:37 PM
is there any way to increase the number of ACE's after reaching the limit of 75k on FWSM version 3.1(8) ?
Thanks,
Vikram
01-17-2011 12:03 AM
ACE limit for version 3.1.x is just 72,806:
http://www.cisco.com/en/US/docs/security/fwsm/fwsm31/configuration/guide/specs_f.html#wp1057500
and ACE limit for version 3.2.x is 74,188:
http://www.cisco.com/en/US/docs/security/fwsm/fwsm32/configuration/guide/specs_f.html#wp1063812
So if you are currently running version 3.1, you can upgrade to version 3.2.x to increase the ACE limit from 72,806 to 74,188.
Or to further increase the limit, you can upgrade to version 4.0.x: 100,567:
http://www.cisco.com/en/US/docs/security/fwsm/fwsm41/configuration/guide/specs_f.html#wp1067843
Please check out the release notes on hardware/software compatibility prior to upgrade.
Hope that helps.
01-17-2011 12:06 AM
Thanks jennifer
Discover and save your favorite ideas. Come back to expert answers, step-by-step guides, recent topics, and more.
New here? Get started with these tips. How to use Community New member guide