Cisco Support Community
cancel
Showing results for 
Search instead for 
Did you mean: 
Announcements
Step-by-Step Configuration and Troubleshooting Best Practices for the NGFW, NGIPS and AMP Technologies A Visual Guide to the Cisco Firepower Threat Defense (FTD)
New Member

FWSM 3.2(2)

Hi All,

    i have FWSM with s/w 3.2(2). while i creating access list an error message appeared to me :

error message: "ERROR: Unable to add, access-list config limit reached"

this fwsm is single not multiple , i can't find the "resource acl-partition " command although it is found in the guide.

i want to know if this command applied only for multiple context? if yes , what the method that can i solve this problem in single fw.

Thanks

1 ACCEPTED SOLUTION

Accepted Solutions
Cisco Employee

Re: FWSM 3.2(2)

Ibrahim,

Yes - the 'resource acl-partition' is supported only in multi-context mode. When you look at the Command Reference Guide, you will see that there is a dot only under the 'System' context in the Multiple Context mode.  This implies that the command is only available via the System context:

http://www.cisco.com/en/US/docs/security/fwsm/fwsm32/command/reference/qr.html#wp1622931

If you are seeing this issue on a single context FWSM, your only means of recourse are to reduce the number ACL entries that you have.  This may be best accomplished by combining host access-lists entries into subnet entries.  Any approach that you can use to make your access-lists "less specific" will oftentimes reduce the amount of resources that the ACL takes up.

Let us know if you have any further questions.  If you have no further questions, please be sure to mark this topic as 'answered'.

Best Regards,

Kevin

5 REPLIES
Cisco Employee

Re: FWSM 3.2(2)

You can do "show resource usage".

Or "sh access-list | i element".

You are probably close to the 3.2 ACL limit (75K).

I hope it helps.

PK

Cisco Employee

Re: FWSM 3.2(2)

Ibrahim,

Yes - the 'resource acl-partition' is supported only in multi-context mode. When you look at the Command Reference Guide, you will see that there is a dot only under the 'System' context in the Multiple Context mode.  This implies that the command is only available via the System context:

http://www.cisco.com/en/US/docs/security/fwsm/fwsm32/command/reference/qr.html#wp1622931

If you are seeing this issue on a single context FWSM, your only means of recourse are to reduce the number ACL entries that you have.  This may be best accomplished by combining host access-lists entries into subnet entries.  Any approach that you can use to make your access-lists "less specific" will oftentimes reduce the amount of resources that the ACL takes up.

Let us know if you have any further questions.  If you have no further questions, please be sure to mark this topic as 'answered'.

Best Regards,

Kevin

New Member

Re: FWSM 3.2(2)

is there any way to increase the number of ACE's after reaching the limit of 75k on FWSM version 3.1(8) ?

Thanks,
Vikram

Cisco Employee

Re: FWSM 3.2(2)

ACE limit for version 3.1.x is just 72,806:

http://www.cisco.com/en/US/docs/security/fwsm/fwsm31/configuration/guide/specs_f.html#wp1057500

and ACE limit for version 3.2.x is 74,188:

http://www.cisco.com/en/US/docs/security/fwsm/fwsm32/configuration/guide/specs_f.html#wp1063812

So if you are currently running version 3.1, you can upgrade to version 3.2.x to increase the ACE limit from 72,806 to 74,188.

Or to further increase the limit, you can upgrade to version 4.0.x: 100,567:

http://www.cisco.com/en/US/docs/security/fwsm/fwsm41/configuration/guide/specs_f.html#wp1067843

Please check out the release notes on hardware/software compatibility prior to upgrade.

Hope that helps.

New Member

Re: FWSM 3.2(2)

Thanks jennifer

546
Views
5
Helpful
5
Replies
CreatePlease to create content