Access-rules actives but not working

Answered Question
Feb 9th, 2010

Hi all:

We are facing a problem with our FWSM. There are some rules that is configured (and enabled) what it seems not working properly.

Yesterday, I received complaints from the users they dont reach servers at 1521 port. I confirm the rule that allows that traffic is correct and enabled so I launched 2 captures, one on input interface (I can see the traffic) and other one in the output interface (no traffic there), I get very surprised.

The next step was to enabled the log on the policy (through ASDM). One minute after of it the customer tells me the issue is fixed and asking me what did I do, I didn't do nothing!!, only enables the log on the policy!.

The customer, and me, are worried about this, this is the second time it happens and I dont have an logic explanation about the FWSM behaviour. The version is 4.0(7) and ASDM is 6.1(5)F.

Someone has an idea about what's going on?.

Thanks a lot,


I have this problem too.
0 votes
Correct Answer by Kureli Sankar about 6 years 8 months ago

That is correct. sh tech is just for backup.

Your acl count is not high  at all.

You can disable optimization now.

You can check the limitation here:

for both single and multiple context.


Correct Answer by Kureli Sankar about 6 years 8 months ago
  • 1
  • 2
  • 3
  • 4
  • 5
Overall Rating: 5 (2 ratings)
Kureli Sankar Tue, 02/09/2010 - 04:45

I am just as surprised as you are .

You are saying adding the "log" key word in the end make the acl work but before that all packets were dropped by the firewall and were not egressing.

Do you do manually commit or auto commit for ACLs? Was this ACL always there and working? or it never did work?


Francisco Del Cura Tue, 02/09/2010 - 05:22

Yes KS, the 2 times it happened it was fixed by enabling the log in the policy, only with that. It seems like if the ACL is in an inactive status until you do a change on it, very strange. Once I enable the log, I could see the packets on the output interface with the capture.

Both of access-lists already have hits previously at this issue.

The commit is manual, every time I do any change on FWSM I press the Apply button on ASDM.

Francisco Del Cura Tue, 02/09/2010 - 09:46

One question. I wanna disabled the optimization on the FWSM but I don't know if it will affect to all access-lists configured until now cause I've read that with optimization enabled the fw has a copy optimized from every access-list. Will that copy will be erased when I disable the optimization?, the access-lists will become inactive if it's disabled?.

If I uncheck the checkbox of optimization, the appliance suggests me there is a backup from the optimized access-lists, how can I do it?, it seems only can be copied to the running config, not to a TFTP/FTP server.


Kureli Sankar Tue, 02/09/2010 - 13:22

No No. The optimized acl will take less space so, if by disabling that your acl spaces taken grows and if your partition runs out of space you will be in trouble.  So, just issue a sh tech and take the output to a text file.

sh access-l | i elements

make sure you do not have huge number of elements.

sh np 3 acl count ---> is another good command

Once done you can disable acl optimization.


Francisco Del Cura Wed, 02/10/2010 - 01:04

The most high elements I have are 17000, is that cipher high?.

I did the show tech (I don't understand the output of the sh np 3 acl count <0-11>) and I don't know why after the sho tech I can disable the optimization . May I have to do a copy optimized-running-config running-config before disabling it?.



This Discussion