Re: Error message when applying service-policy to FWSM

Unanswered Question
Jul 22nd, 2010
User Badges:


Hi,


I am getting this error message when I am applying this service-policy on an interface of the FWSM :-


-----------------------------------------------------------------------


ERROR: Unable to add, fixup config limit reached

ERROR: Cannot add policy to rule engine


------------------------------------------------------------------------


It takes the class-map and the policy-map with no issues but I get the above error when applying the service-policy to the interface.


What do I need to do to allow me to enter the service-policy on the interface ?


Pls advice,


Cheers,

-SN-

  • 1
  • 2
  • 3
  • 4
  • 5
Overall Rating: 4 (2 ratings)
Loading.
bknoblau Thu, 07/22/2010 - 18:10
User Badges:

Hello Sanjay,


I am assuming that this is most likely a result of you exceeding the maximum rule allocation for your specific device.  The default for inspection rules of a FWSM in Single context mode is 4147.  For multiple context mode it is 1417.  For each inspect you specify, two rules are created for every rule in the access list grouped to the inspection.  So if you have 3 inspections and 1000 ACL rules (3 * 1000 * 2) = 6000 rules will be created which is larger than the supported MAX (4147).  Your specific system may also have a maximum that is different than this due to specific system limitations.  This can be checked by viewing the "show resource rule" command.


For more information about rule allocation, follow the following link:


http://www.cisco.com/en/US/docs/security/fwsm/fwsm32/configuration/guide/specs_f.html#wp1054944


Regards,


BK

Magnus Mortensen Fri, 07/23/2010 - 20:15
User Badges:
  • Cisco Employee,

Sanjay,

     Take a look at the output of 'show np 3 acl count' from the context you are trying to add the service policy rule to. You should see something like:


FWSM/test# sh np 3 acl count
-------------- CLS Rule Current Counts --------------
CLS Filter Rule Count       :             0
CLS Fixup Rule Count        :            16
CLS Est Ctl Rule Count      :             0
CLS AAA Rule Count          :             0
CLS Est Data Rule Count     :             0
CLS Console Rule Count      :             1
CLS Policy NAT Rule Count   :             0
CLS ACL Rule Count          :             6
CLS ACL Uncommitted Add     :             0
CLS ACL Uncommitted Del     :             0


---------------- CLS Rule MAX Counts ----------------
CLS Filter MAX              :          3747
CLS Fixup MAX               :          9994
CLS Est Ctl Rule MAX        :           624
CLS Est Data Rule MAX       :           624
CLS AAA Rule MAX            :          8744
CLS Console Rule MAX        :          2498
CLS Policy NAT Rule MAX     :          2498
CLS ACL Rule MAX            :         96199


-------------- CLS Rule Counter Ranges --------------
CLS L7 Cnt     Start - End  :             1 -     3747
CLS Est Cnt    Start - End  :          3748 -     4371
CLS AAA Cnt    Start - End  :          4372 -    13115
CLS CP Cnt     Start - End  :         13116 -    15613
CLS Policy Cnt Start - End  :         15614 -    18111
CLS ACL Cnt    Start - End  :         18112 -   114310
CLS DYN Cnt    Start - End  :             0 -        0


----- CLS Rule Memory Management (Global) ----
CLS Rules Allocated         :           149
CLS Rules Deleted           :           126
CLS Rules Flagged           :             0
CLS Rules Reclaimed         :             0
CLS Rules No Memory         :             0


----- CLS Extension Memory Management (Global) ----
CLS Leaf Extensions Alloced :            12
CLS Leaf Extensions Updated :             0
CLS leaf Extensions Deleted :             6
MPC Leaf Extensions Alloced :             0
MPC Leaf Extensions Deleted :             0
MPC Leaf Ext Alloc Errors   :             0
MPC Leaf Ext Free Errors    :             0
-----------------------------------------------------



THe output lines you are going to be interested in are the lines related to "Fixup Rule". If you are hitting that limit, you may need to simplify your servicepolicy rules or re-allocate ACL partition space if you are in multiple context mode.


Please post the output of "sh np 3 acl count | in Fixup".


- Magnus

sanjay.nadarajah Sun, 07/25/2010 - 17:26
User Badges:


Hi Magnus,


Here is the 'show np 3 acl count | in Fixup'


Context-A# sh np 3 acl count | in Fixup

CLS Fixup Rule Count        :            32

CLS Fixup MAX               :          1537

Context-A#


Thank you,


Cheers,

-SN-

Magnus Mortensen Tue, 07/27/2010 - 04:30
User Badges:
  • Cisco Employee,

SN,

     Depending on the complexity of the ACL's and CLassmaps associated with that policy map, you may hit the limit quickly. If you are applying the service policy globally, then a copy of the full policy map is generated and programmed per interface. So if you have 20 interfaces, that becomes 20 duplicates of the policy map.


-Magnus

Actions

This Discussion