Cisco Support Community
Showing results for 
Search instead for 
Did you mean: 

Attention: The Community will be in read-only mode on 12/14/2017 from 12:00 am pacific to 11:30 am.

During this time you will only be able to see content. Other interactions such as posting, replying to questions, or marking content as helpful will be disabled for few hours.

We apologize for the inconvenience while we perform important updates to the Community.

New Member

DAP limitations

Are there any limitations regarding Dynamic Access Policies (DAP), i.e. CPU, Memory, walk through times?

Use Case:

ASA5520, 3000 IPSEC Users, LDAP Connection to AD

There are 200 Groups in the AD that will be referenced in the DAP.

So there are 200 DAP Entries, all with "Continue" at the end of the DAP.

A user can be a member of many AD groups.

Every DAP entry has it's own ACL of about 5 ACE's


Everyone's tags (6)
Cisco Employee

Re: DAP limitations

There is no configuration limit for the number of DAP records on the ASA. There are limits on the number of values/instances each attribute can have. Currently a maximum of 999 values/instances can be processed per  attribute in each DAP. With that said, each instance will utilize memory and CPU for processing. If you have excessive numbers you will want to keep an eye on memory utilization since you may want to adjust your plans for device capacity appropriately.

CreatePlease to create content