Buy or Renew
Buy or Renew
cancel
Turn on suggestions
Auto-suggest helps you quickly narrow down your search results by suggesting possible matches as you type.
Showing results for 
Search instead for 
Did you mean: 
cancel
Start a conversation
1046
Views
5
Helpful
3
Replies

DACL from ISE failing to load on ASA AnyConnect, low memory error

bbarnes
Level 1
Level 1

‎02-01-2022 08:43 AM

Running AnyConnect on ASA 5525. This is a DR/Test firewall with a maximum of 5-Users on it at any one time. Testing a profile using ISE for authorization. If I connect using AnyConnect without a DACL in ISE, the connection authenticates fine. 

 

When I apply a DACL to the policy in ISE, the connection fails. ISE Radius logs show the authentication passes and the DACL is sent to the ASA successfully. The firewall logs show an error when the DACL is passed to it from ISE and does not allow the session.

%ASA-6-716051: Group group-name User user-name IP IP_address Error 
adding dynamic ACL for user.

There is not enough memory to perform the action.

Memory appears to be fine on the firewall, despite the error.

 

TEST-VPN# show memory
Free memory: 3291834675 bytes (75%)
Used memory: 1116307600 bytes (25%)
------------- ------------------
Total memory: 4408142275 bytes (100%)

 

This is the only DACL being used. It consists of 3-lines. It appears a 5525 not under load should be able to handle this without issue. The ASA OS has been upgraded and the same error appears. Any suggestions???

 

1 person had this problem
Labels:
0 Helpful
3 Replies 3

Rob Ingram
VIP
VIP

‎02-01-2022 08:53 AM

@bbarnes is the DACL formatted correctly?

Perhaps a bug, what exact ASA version are you running?

0 Helpful

bbarnes
Level 1
Level 1
In response to Rob Ingram

‎02-01-2022 09:18 AM

Thank you for the response. Checking the DACL syntax in ISE, ISE responds "DACL is valid". 

 

Have used two different OS versions, 9.8.4 and 9.12.4 with the same result.s

0 Helpful

marce1000
Hall of Fame
Hall of Fame

‎02-01-2022 09:02 AM

 

 - Ref : https://www.cisco.com/c/en/us/td/docs/security/asa/syslog/b_syslog/syslogs8.html#con_5376343

 >...

  

Error Message %ASA-6-716051: Group group-name User user-name IP IP_address Error adding dynamic ACL for user.

Explanation There is not enough memory to perform the action.

  • group-name—The name of the group
  • user-name—The name of the user
  • IP_address—The IP address

Recommended Action Purchase more memory, upgrade the ASA, or reduce the load on it.

 

 M.



-- Each morning when I wake up and look into the mirror I always say ' Why am I so brilliant ? '
    When the mirror will then always repond to me with ' The only thing that exceeds your brilliance is your beauty! '
Customers Also Viewed These Support Documents