Buy or Renew
Buy or Renew
Duo Security forums now LIVE! Get answers to all your Duo Security questions. Learn more
cancel
Turn on suggestions
Auto-suggest helps you quickly narrow down your search results by suggesting possible matches as you type.
Showing results for 
Search instead for 
Did you mean: 
cancel
Start a conversation
1266
Views
0
Helpful
5
Replies

Cisco ASA Microsoft(info) - Cisco-AV-Pair, multiple DACL

s-andersson
Level 1
Level 1

‎06-12-2008 12:36 AM - edited ‎03-11-2019 05:58 AM

Hi

I'm trying to add downloadable ACL's via a LDAP map. I have done a map between the info attribute in Microsoft ActiveDirectory and the Cisco-AV-Pair field.

My problem is that when I add two lines in the configuration i recive an error in the ASA log.

%ASA-3-109032: Unable to install ACL 'AAA-user-nisse-406F160D', downloaded for user nisse; Error in ACE : 'permit ip 10.0.2.0 255.255.255.0 192.168.1.0 255.255.255.0

ip:inacl#2=permit ip 10.0.2.0 255.255.255.0 192.168.3.0 255.255.255.0'

%ASA-6-716051: Group <SVC-LDAP-JARLEGREN-POLICY> User <nisse> IP <x.x.x.x> Error adding dynamic ACL for user.

Have anyone managed to get this to work or am I using the wrong syntax for the downloadable acl's

My config looks like this.

ip:inacl#1=permit ip 10.0.2.0 255.255.255.0 192.168.1.0 255.255.255.0

ip:inacl#2=permit ip 10.0.2.0 255.255.255.0 192.168.3.0 255.255.255.0

Tanks in advance

Stefan

Labels:
0 Helpful
5 Replies 5

massimiliano.serafino
Level 4
Level 4

‎06-12-2008 12:50 AM

Hi,

From System Log Message the explanation of the message number 716051 is:

"There is not enough memory to perform the action".

Recommended Action: Purchase more memory, upgrade the device, or reduce the load on the device .

Reference: "http://www.cisco.com/en/US/docs/security/asa/asa72/system/message/logmsgs.html"

I hope this helps.

Best regards.

Massimiliano.

0 Helpful

s-andersson
Level 1
Level 1
In response to massimiliano.serafino

‎06-12-2008 12:57 AM

Hi

Tanks for the answer but I'm running ASA 8.0 and the system message 716051 is the following error:

%ASA-6-716051: Group group-name User user-name IP IP_address Error adding dynamic ACL for user.

Best regards,

Stefan

0 Helpful

massimiliano.serafino
Level 4
Level 4
In response to s-andersson

‎06-12-2008 01:03 AM

Hi,

From System Log messages version 8.0 the explanation is the same.

Reference: http://www.cisco.com/en/US/docs/security/asa/asa80/system/message/logmsgs.html#wp4777220

Did you try to add manually the access list?

Best regards.

Massimiliano.

0 Helpful

s-andersson
Level 1
Level 1
In response to massimiliano.serafino

‎06-12-2008 01:16 AM

Hi

Yes I have tried to add the access-list manually and it works fine. So it must be something with syntax

ip:inacl....

Do you have any ideas around the syntax that could be wrong or is it correct?

The load on the box is aroung 1% and what I know you can't add more memory to the box.

Best regards,

//Stefan

0 Helpful

s-andersson
Level 1
Level 1
In response to s-andersson

‎06-12-2008 01:17 AM

Hi

If I just use on of the lines it works great.

//Stefan

0 Helpful
Getting Started

Find answers to your questions by entering keywords or phrases in the Search bar above. New here? Use these resources to familiarize yourself with the community:

Customers Also Viewed These Support Documents
Review Cisco Networking products for a $25 gift card