I presume that you have local servers to which you want to generally allow traffic BUT want to block traffic from the mentioned external subnets/networks? If so then the interesting question would be how you have configured the actual ACL? Do you have the "object-group" mentioned in use on your ASA and is it used in multiple times in the same ACL for different destination servers?
Cisco documentation recomends a maximum of 25k ACEs in ACLs for ASA5505. Considering the amount of objects in those "object-group" you would easily go over that recomended limit if you had a few servers for which you had rules using these "object-group".
access-list OUTSIDE-IN deny ip object-group block-CN host x.x.x.x access-list OUTSIDE-IN deny ip object-group block-KR host x.x.x.x access-list OUTSIDE-IN deny ip object-group block-PS host x.x.x.x
access-list OUTSIDE-IN deny ip object-group block-CN host y.y.y.y access-list OUTSIDE-IN deny ip object-group block-KR host y.y.y.y access-list OUTSIDE-IN deny ip object-group block-PS host y.y.y.y
access-list OUTSIDE-IN deny ip object-group block-CN host z.z.z.z access-list OUTSIDE-IN deny ip object-group block-KR host z.z.z.z access-list OUTSIDE-IN deny ip object-group block-PS host z.z.z.z
Would result in approx. 18k ACL rules? Even more so if you have even more destination addresses to which the traffic is blocked.
Have you checked your memory usage on the ASA at the moment?
You should be able to view the amount of ACEs in the ACL with the command
show access-list outside_access_in | inc elements
Cisco states that each ACE uses at minimum 212 bytes of RAM. Cisco also mentions that the performance decredation is around 10-15% if the recomended ACE amount is reached or exceeded. There does not seem to be any set maximum limit. It should only be limited by the amount of RAM.
Are the "object-group" updated regularly by some script running somewhere?
The "object-group" listing seems to have a command that first removes the "object-group" and then creates it again. If this "object-group" exists in an ACL then that should mean that the script can not remove the "object-group" unless it first removes the ACL lines (or any configurations) using the said "object-group". If the ACLs lines are not removed first then it would seem to me that inserting the mention configurations will simply add many subnets/networks again with no result (if they exist) or possibly adds some new ones.
I am not sure if the case is the one mentioned above. Maybe not. But if it is, maybe its related to the problem.
I guess Cisco TAC could probably easily check what the problem is but I would imagine that using such a large "object-group" or modifying it "on the fly" might have something to do with the problem.
Table of ContentsIntroductionVersion HistoryPossible Future
UpdatesDocuments PurposeNAT Operation in ASA 8.3+ SectionsRule Types
Network Object NATTwice NAT / Manual NATRule Types used per SectionNAT
Types used with Twice NAT / Manual NAT and Network Obje...
Table of Contents Introduction:This document describes details on how
NAT-T works. Background: ESP encrypts all critical information,
encapsulating the entire inner TCP/UDP datagram within an ESP header.
ESP is an IP protocol in the same sense that TCP an...