cancel
Showing results for 
Search instead for 
Did you mean: 
cancel
319
Views
0
Helpful
0
Replies
Highlighted
Beginner

Limitation/documentation: REST-API bulk API and large ACLs

Hey Cisco,

I recently did some work with the ASA REST-API, creating a REST API wrapper in Python: https://github.com/xpac1985/pyASA

During that, I found some issues/limitations that should at least be properly documented.

Buli API limitation

When using the bulk API function, multiple commands are concatenated into a single JSON string. For very long JSON strings – containing more than 2 18 (= 262.144) characters – the API call fails with an HTTP error. This might be because of some kind of maximum length of a

variable used in the API to process the JSON string.

pyASA works around this problem by separating its bulk API calls into parts, namely deletion of rules is done in steps of 500 rules at a time, and creation of rules is done at steps of 100 rules at a time, staying far below the maximum JSON string length, even when using many long IPv6 addresses and complex rule options.

This limitation should either be properly handled in the REST API agent, or at least documented so that people can read about it.

Large ACL limitations

The API agent tends to crash when trying to append to large ACLs. The API calls for rule creation fail with an HTTP 500 error code, and the ASA log shows that the agent is being restarted after crashing.

There seems to be no workaround for this, as increasing the memory available to the ASAv did not improve this behavior. However, it is not perfectly reproducible, as sometimes up to 7000 rules could be successfully created, but most of the times the agent crashed when reaching about 4000 rules.

This limitation should either be properly handled in the REST API agent, or at least documented so that people can read about it.

Hope this can be taken care of in the next API versions.

Kind regards

Björn

Everyone's tags (4)