FWSM filter updates ? Version 3.1(12)

Unanswered Question
Oct 3rd, 2008

Helo

We update fwsm acl's by editing textfiles (partial automatically) (with 'clear configure access-list <>' in the top and 'access-list commit' in the bottom)and then tftp'ing them to the fwsms. However scripting this process with 'Expect' has caused the active fwsm to now and then partially freeze on the management access (normal traffic ok)(Configuration update in progress by another process....) with no recover except forced failover and reload. ACL size has no influence apparantly. The problem has not occured when doing it manually:

copy tftp run

tftp-server

filename

wr.

Any ideas for a fix ? And what is best practice for acl updates (~ 55 same security level interfaces in single mode) I don't think asdm is the solution.

Thanks, JJ

I have this problem too.
0 votes
  • 1
  • 2
  • 3
  • 4
  • 5
Overall Rating: 0 (0 ratings)
Loading.
hadbou Thu, 10/09/2008 - 08:18

Access lists are made up of one or more Access Control Entries. An ACE is a single entry in an access list that specifies a permit or deny rule, and is applied to a protocol, a source and destination IP address or network, and optionally the source and destination ports.

Refer the following url for more information on configuring and adding ACLS in FWSM:

http://www.cisco.com/en/US/docs/security/fwsm/fwsm31/configuration/guide/traffc_f.html#wp1002608

jjoensen Thu, 10/09/2008 - 09:11

Thanks for the answer - I know my acl fundamentals though - the problem is/was how to update entire acl's not ace's (with up to 3000 ace's - total amount of ace's in use: ~19.000 ~ 20 % memory usage) with scripting. The problem seems to have been solved by slowing down the script and carefully assuring that one step has completed before the next is starting.

Funny - the supplied link doesn't offer any information on the differences between manual- and auto commit ( auto-commit is where the ace's are compiled line by line, which can take really long time if you substitute an entire acl.

Thanks JJ

Actions

This Discussion