DAP limitations

Unanswered Question
May 19th, 2010
User Badges:

Are there any limitations regarding Dynamic Access Policies (DAP), i.e. CPU, Memory, walk through times?

Use Case:

ASA5520, 3000 IPSEC Users, LDAP Connection to AD

There are 200 Groups in the AD that will be referenced in the DAP.

So there are 200 DAP Entries, all with "Continue" at the end of the DAP.

A user can be a member of many AD groups.

Every DAP entry has it's own ACL of about 5 ACE's


  • 1
  • 2
  • 3
  • 4
  • 5
Overall Rating: 0 (0 ratings)
Peter Davis Wed, 06/02/2010 - 05:54
User Badges:
  • Cisco Employee,

There is no configuration limit for the number of DAP records on the ASA. There are limits on the number of values/instances each attribute can have. Currently a maximum of 999 values/instances can be processed per  attribute in each DAP. With that said, each instance will utilize memory and CPU for processing. If you have excessive numbers you will want to keep an eye on memory utilization since you may want to adjust your plans for device capacity appropriately.


This Discussion

Related Content