FWSM ACL reached limit

Answered Question
Jul 1st, 2009

Folks, please I have a FWSM with 4 contexts but I couldn't migrate my checkpoint Firewall to Cisco 4.0.4 FWSM because FWSM reached limit up to 100000 lines of the ACL.

Anybody had this problem?

I wondering about the use of the ASA in place of the FWSM.

I have this problem too.
0 votes
Correct Answer by Kureli Sankar about 7 years 6 months ago

1. look at sh access-list and see all the 0 hit ones and if they are not

required remove them.

2. clean up object groups to reduce the number of ACEs.

3. re-partition the acl space and reduce the number of partitions. This will

increase the number ACE that you can have per partition. This will not

double the space because we need to allocate a backup area which is as big as the biggest partition in 4.0 or like any other partition in 3.x and earlier so, it will certainly increase but, not exactly double.

4.x command reference:

http://www.cisco.com/en/US/docs/security/fwsm/fwsm40/command/reference/qr.html#wp1656867

hostname(config)# resource acl-partition 4 -------------(I am not sure how

many contexts you are planning to add in the future)

This configuration command leads to repartitioning of ACL memory. It will

not take effect unless you save the configuration to startup configuration

and reboot.

Changing the number of partitions requires you to reload the FWSM. If you

are using failover, you must also reload the other failover unit because the

memory partitions must match on both units.

Traffic loss can occur because both units are down at the same time.

You are right, in the ASA there is no limit. Memory is the limit there.

FWSM 4.x rule limit link:

http://www.cisco.com/en/US/docs/security/fwsm/fwsm40/configuration/guide/specs_f.html#wp1067359

  • 1
  • 2
  • 3
  • 4
  • 5
Overall Rating: 5 (1 ratings)
Loading.
Correct Answer
Kureli Sankar Wed, 07/01/2009 - 19:32

1. look at sh access-list and see all the 0 hit ones and if they are not

required remove them.

2. clean up object groups to reduce the number of ACEs.

3. re-partition the acl space and reduce the number of partitions. This will

increase the number ACE that you can have per partition. This will not

double the space because we need to allocate a backup area which is as big as the biggest partition in 4.0 or like any other partition in 3.x and earlier so, it will certainly increase but, not exactly double.

4.x command reference:

http://www.cisco.com/en/US/docs/security/fwsm/fwsm40/command/reference/qr.html#wp1656867

hostname(config)# resource acl-partition 4 -------------(I am not sure how

many contexts you are planning to add in the future)

This configuration command leads to repartitioning of ACL memory. It will

not take effect unless you save the configuration to startup configuration

and reboot.

Changing the number of partitions requires you to reload the FWSM. If you

are using failover, you must also reload the other failover unit because the

memory partitions must match on both units.

Traffic loss can occur because both units are down at the same time.

You are right, in the ASA there is no limit. Memory is the limit there.

FWSM 4.x rule limit link:

http://www.cisco.com/en/US/docs/security/fwsm/fwsm40/configuration/guide/specs_f.html#wp1067359

Actions

This Discussion