Cisco Support Community
cancel
Showing results for 
Search instead for 
Did you mean: 
Announcements

Welcome to Cisco Support Community. We would love to have your feedback.

For an introduction to the new site, click here. And see here for current known issues.

New Member

Cisco ASA Microsoft(info) - Cisco-AV-Pair, multiple DACL

Hi

I'm trying to add downloadable ACL's via a LDAP map. I have done a map between the info attribute in Microsoft ActiveDirectory and the Cisco-AV-Pair field.

My problem is that when I add two lines in the configuration i recive an error in the ASA log.

%ASA-3-109032: Unable to install ACL 'AAA-user-nisse-406F160D', downloaded for user nisse; Error in ACE : 'permit ip 10.0.2.0 255.255.255.0 192.168.1.0 255.255.255.0

ip:inacl#2=permit ip 10.0.2.0 255.255.255.0 192.168.3.0 255.255.255.0'

%ASA-6-716051: Group <SVC-LDAP-JARLEGREN-POLICY> User <nisse> IP <x.x.x.x> Error adding dynamic ACL for user.

Have anyone managed to get this to work or am I using the wrong syntax for the downloadable acl's

My config looks like this.

ip:inacl#1=permit ip 10.0.2.0 255.255.255.0 192.168.1.0 255.255.255.0

ip:inacl#2=permit ip 10.0.2.0 255.255.255.0 192.168.3.0 255.255.255.0

Tanks in advance

Stefan

5 REPLIES

Re: Cisco ASA Microsoft(info) - Cisco-AV-Pair, multiple DACL

Hi,

From System Log Message the explanation of the message number 716051 is:

"There is not enough memory to perform the action".

Recommended Action: Purchase more memory, upgrade the device, or reduce the load on the device .

Reference: "http://www.cisco.com/en/US/docs/security/asa/asa72/system/message/logmsgs.html"

I hope this helps.

Best regards.

Massimiliano.

New Member

Re: Cisco ASA Microsoft(info) - Cisco-AV-Pair, multiple DACL

Hi

Tanks for the answer but I'm running ASA 8.0 and the system message 716051 is the following error:

%ASA-6-716051: Group group-name User user-name IP IP_address Error adding dynamic ACL for user.

Best regards,

Stefan

Re: Cisco ASA Microsoft(info) - Cisco-AV-Pair, multiple DACL

Hi,

From System Log messages version 8.0 the explanation is the same.

Reference: http://www.cisco.com/en/US/docs/security/asa/asa80/system/message/logmsgs.html#wp4777220

Did you try to add manually the access list?

Best regards.

Massimiliano.

New Member

Re: Cisco ASA Microsoft(info) - Cisco-AV-Pair, multiple DACL

Hi

Yes I have tried to add the access-list manually and it works fine. So it must be something with syntax

ip:inacl....

Do you have any ideas around the syntax that could be wrong or is it correct?

The load on the box is aroung 1% and what I know you can't add more memory to the box.

Best regards,

//Stefan

New Member

Re: Cisco ASA Microsoft(info) - Cisco-AV-Pair, multiple DACL

Hi

If I just use on of the lines it works great.

//Stefan

782
Views
0
Helpful
5
Replies