- Cisco Community
- Technology and Support
- Security
- Security Knowledge Base
- FWSM - Addressing Multiple Context ACL limit reached issues
- Subscribe to RSS Feed
- Mark as New
- Mark as Read
- Bookmark
- Subscribe
- Printer Friendly Page
- Report Inappropriate Content
- Subscribe to RSS Feed
- Mark as New
- Mark as Read
- Bookmark
- Subscribe
- Printer Friendly Page
- Report Inappropriate Content
03-06-2010 06:02 PM - edited 03-08-2019 06:32 PM
Documentation
This document is meant to be interpreted with the aid of the official documentation from the configuration guide located here:
4.1.x: http://www.cisco.com/en/US/docs/security/fwsm/fwsm41/configuration/guide/specs_f.html#wp1067359
4.0.x: http://www.cisco.com/en/US/docs/security/fwsm/fwsm40/configuration/guide/specs_f.html#wp1067359
3.2.x: http://www.cisco.com/en/US/docs/security/fwsm/fwsm32/configuration/guide/specs_f.html#wp1054944
3.1.x: http://www.cisco.com/en/US/docs/security/fwsm/fwsm31/configuration/guide/specs_f.html#wp1054944
2.3.x: http://www.cisco.com/en/US/docs/security/fwsm/fwsm23/configuration/guide/specs.html#wp1054944
If your FWSM is hitting an ACL limit, and you are unable to create new access-lists due to hardware limitation, please reference the following guide for recommendations and solutions:
https://supportforums.cisco.com/docs/DOC-13189
Overview
The FWSM supports a fixed number of rules for the entire system. The FWSM supports approximately 100K rules for the entire system in single mode, and 170K rules for multiple mode.
In multiple context mode, each context supports at most 14,801 rules, but the actual number of rules supported in a context might be less, depending on how many contexts you have. A context belongs to one of 12 pools that offers a maximum of 14,801 rules. The FWSM assigns contexts to the pools in the order they are loaded at startup. For example, if you have 12 contexts, each context is assigned to its own pool, and can use 14,801 rules. If you add one more context, then context number 1 and the new context number 13 are both assigned to pool 1, and can use 14,801 rules divided between them; the other 11 contexts continue to use 14,801 rules each. If you delete contexts, the pool membership does not shift, so you might have some unequal distribution until you reboot, at which time the contexts are evenly distributed.
The number above will vary depending on the version of code that the FWSM is running.
Symptoms
1. ERROR: Unable to add, access-list config limit reached
This error is seen when the ACL limit is reached. The following output will help us determine if that is the case.
sh resource acl (from the system space)
This command will provide information about the context allocated to the partition and the maximum number of ACE used
in each partition.
sh np 3 acl count (from the context in question)
FWSM/pri/act/admin# sh np 3 acl count
-------------- CLS Rule Current Counts --------------
CLS Filter Rule Count : 0
CLS Fixup Rule Count : 130
CLS Est Ctl Rule Count : 0
CLS AAA Rule Count : 0
CLS Est Data Rule Count : 0
CLS Console Rule Count : 36
CLS Policy NAT Rule Count : 2
CLS ACL Rule Count : 10633 ----> Total ACE in the config.
CLS ACL Uncommitted Add : 0
CLS ACL Uncommitted Del : 0
---------------- CLS Rule MAX Counts ----------------
CLS Filter MAX : 425
CLS Fixup MAX : 1417
CLS Est Ctl Rule MAX : 70
CLS Est Data Rule MAX : 70
CLS AAA Rule MAX : 992
CLS Console Rule MAX : 283
CLS Policy NAT Rule MAX : 283
CLS ACL Rule MAX : 10633 ----> The maximum possible.
The above output shows the partition that hosts the context has exceeded the limitation of ACL.
a. A possible work around is to use lower number of partitions, so more rules in each partition can be created.
resource acl-partition <1-12>
http://www.cisco.com/en/US/docs/security/fwsm/fwsm32/command/reference/qr.html#wp1622931
Changing the number of partitions requires you to reload the FWSM. If you are using failover, you must also reload the other failover unit because the
memory partitions must match on both units.
b. consolidate hosts into networks if possible in the object groups and make the element count less in the access-list.
sh access-list | i elements
This command will show how many ACE a particular access-list will tree down to. Look for the ones with "zero" hit counts and try to remove them.
Again, more information on this issue is provided in the following document:
https://supportforums.cisco.com/docs/DOC-13189
2. ERROR: <outside> element cannot be created.
The above message indicates that the access-list element that is trying to be configured already exists in the configuration.
FWSM/admin(config)# access-list test permit icmp any any
WARNING: <test> found duplicate element
Look through the access-list using the command show access-list to find the duplicate rule. This is just an informational message. It doesn't require any real troubleshooting action.
3. ERROR message "Unable to add a hole to Policy Rule"
This error maay be seen when trying to add an ACE to the access-list which is applied to a NAT configuration.
The issue is caused by a limitation in the total number of policy NAT rules (283) allowed in a particular context with the default number of partitions - 12. Since the maximum no of ACE rules is 10633 for 12 partitions, and that limit has not been reached, whereas the nat rule will not be added as the maximum limit for NAT rules has already been reached.
a. A possible work around is to use lower number of partitions, so more no. of rules in each partition can be created.
b. do not use access-list in the nat statement instead apply the access-list to the interfaces with the access-group command.
c. consolidate hosts into object groups and make the element count less in the access-list that is tied to the NAT statement.
This is not a BUG but, expected behavior when the policy NAT ACL limit is reached.
You can also read about the above here: http://tools.cisco.com/Support/BugToolKit/search/getBugDetails.do?method=fetchBugDetails&bugId=CSCsc72583
4. Memory for compiling access rules exhausted, aborting the current compilation and continuing to use the existing access rules.
FWSM/admin#show np 3 acl stats
rule count : 6337 --------------> rule count may be within the limit
Bit nodes (PSCB's): 12624
Leaf nodes : 12625
Total nodes : 25249 (max 28356) ---> node count limitation may be hit
Leaf chains : 8149
Total stored rules: 12151
Max rules in leaf : 4
Node depth : 29
This command show np 3 acl stats in the context in question will show if the total nodes is reached. This limit may be reached even before the ACL limit is reached. Each ACE may take a minimum of 2 nodes to a maximum up to to 5 nodes depending on where the ACL is being called.
The ACL that is tied to MPF (modular policy framework) may take up more nodes than the ACL that is tied to a NAT or to the
access-group. There is no way to calculate the number of nodes. The best way to monitor this is to regularly look at the above output to make sure the node count is not exceeded.
Command Reference:
FWSM 3.1: http://www.cisco.com/en/US/docs/security/fwsm/fwsm31/command/reference/fwsm_ref.html
FWSM 3.2: http://www.cisco.com/en/US/docs/security/fwsm/fwsm32/command/reference/fwsm_ref.html
FWSM 4.0: http://www.cisco.com/en/US/docs/security/fwsm/fwsm40/command/reference/qr.html#wp1622931
FWSM 4.1: http://www.cisco.com/en/US/docs/security/fwsm/fwsm41/command/reference/qr.html#wp1622931
Find answers to your questions by entering keywords or phrases in the Search bar above. New here? Use these resources to familiarize yourself with the community: