Buy or Renew
Buy or Renew
Cisco + Splunk: It’s a new day for your data. Learn more.
 
cancel
Turn on suggestions
Auto-suggest helps you quickly narrow down your search results by suggesting possible matches as you type.
Showing results for 
Search instead for 
Did you mean: 
cancel
Start a conversation
1069
Views
0
Helpful
1
Replies

%ACLMGR-3-ACLMGR_VERIFY_FAIL: Verify failed: client 40000290, tcam region full

Andreas Falk
Level 1
Level 1

‎04-27-2015 09:25 AM - edited ‎03-07-2019 11:45 PM

Hi,

 

I have two Nexus5548 with system version 5.1(3)N2(1a) that I'm having trouble with. 
There are one acl I try to apply, and it keeps failing with: (it's rather big so I cant paste it in this public discussion )

%ACLMGR-3-ACLMGR_VERIFY_FAIL: Verify failed: client 40000290, tcam region full
%AFM-3-AFM_VERIFY_FAIL: Access control policy modification on vlan 123 failed

And I can see that it is really long, but it's shorter than a few other acl's?

# sh access-lists summary
[snip]
IPV4 ACL vlan124-out
        Total ACEs Configured:286
[snip]
IPV4 ACL vlan123-out
        Total ACEs Configured:274
[snip]


I've read the http://www.cisco.com/c/en/us/products/collateral/switches/nexus-5000-series-switches/white_paper_c11-682225.html
But I can't really get my head around how I can see how I can see how different acl's with less ACEs takes upp "more tcam space"?

The core problem is the long acl's but that is something that we are looking at in the log run.

In Nx7000 there is "show hardware capacity | begin ACL" to get some good info about this. But I haven’t found anything like this on the Nx5k platform
I'm sorta stuck how to continue troubleshooting this, any tips?

--

Regards Falk

Labels:
0 Helpful
1 Reply 1

Andreas Falk
Level 1
Level 1

‎04-30-2015 06:44 AM

Hi,

I'll answer this myself after some digging in the docs :)

It wasn't that acl itself, it was the TOTAL TCAM space for that region that was full.
Like the log said, "tcam region full".

The collective eracl size was 2048 and we used ~2k of that.
So when we tried to apply another it just didn't fit.. :)

This can be found out by:
egress router acl.

#sh platform afm info tcam 8 region eracl 
eracl tcam TCAM configuration for asic id 5:
[eracl tcam]: range     0 - 2047 *
[ifacl tcam]: range  2048 - 2111  
[  qos tcam]: range  2112 - 2175  
[iracl tcam]: range  2176 - 3839  
[ span tcam]: range  3840 - 3903  
[  sup tcam]: range  3904 - 3967  

    TCAM [eracl tcam]: [v:1, size:2048, start:0 end:2047]
    In use tcam entries: 2047
        0-9,15-2047

ingress router acl

# sh platform afm info tcam 8 region iracl 
iracl tcam TCAM configuration for asic id 5:
[eracl tcam]: range     0 - 2047  
[ifacl tcam]: range  2048 - 2111  
[  qos tcam]: range  2112 - 2175  
[iracl tcam]: range  2176 - 3839 *
[ span tcam]: range  3840 - 3903  
[  sup tcam]: range  3904 - 3967  

    TCAM [iracl tcam]: [v:1, size:1664, start:2176 end:3839]
    In use tcam entries: 843
        2176-2177,2999-3839

Every ACE (Access Control Entry (one line of an Access Control List)) is 1 entry in a TCAM region from what I understand.

So our next challange is to rethink our ACL's and/or checkout more information about TCAM carving.

 

--

Regards Falk

0 Helpful
Customers Also Viewed These Support Documents
Review Cisco Networking products for a $25 gift card