cancel
Showing results for 
Search instead for 
Did you mean: 
cancel
3841
Views
0
Helpful
9
Replies

FWSM 4.1(1) and access-list commit.

andrea.meconi
Level 2
Level 2

How can I commit access-list more quickly?

When I add an ACE the FWSM takes more times to commit.

Thanks.

Regards.

Andrea

1 Accepted Solution

Accepted Solutions

To add to Kureli's suggestions, you have about 10K rules. Unfortunately in order to test a new rule, all of them need to be recompiled. And with 10K rules it will take some time to recompile (1-2mins is normal). Note if you have ACL optimization enabled that will take a more time. You will not be losing traffic during that time, though, you really need to wait for the ACL to be complied to take effect and test them.

I hope it clarifies it a little.

PK

View solution in original post

9 Replies 9

Kureli Sankar
Cisco Employee
Cisco Employee

You do have auto commit right not manual commit? ACL compilation will take a few seconds. How long does it take? What is the ACE count?

sh access-list | i elements

sh resource acl (from the system space)

This command will provide information about the context allocated to the partition and the maximum number of ACE used
in each partition. 

sh np 3 acl count (from the context in question)

You can also read the doc on FWSM acl limit that I published here: https://supportforums.cisco.com/docs/DOC-8786

-KS

Many thanks for your help.

We are using single mode, auto commit and ASDM to change configuration.

ACL compilation takes more than two minutes and is very very tedious.

We need to wait some minutes to make a test of new added ACE!

Result of the command: "sh run | i commit"

The command has been sent to the device

Result of the command: "sh access-list | i elements"

access-list acl_out; 1789 elements

access-list dmz1_access_in; 15 elements

access-list acl_inside; 6517 elements

access-list BrennerCom_access_in; 13522 elements

access-list Laimburg_access_in; 367 elements

access-list Cantieri_access_in; 494 elements

access-list inside_pnat_outbound; 2 elements

access-list Forestali_access_in; 3201 elements

access-list dmz3_access_in; 54 elements

access-list Remedy_access_in; 49 elements

access-list inside_nat_outbound; 21 elements

access-list inside_nat_static_1; 1 elements

access-list inside_nat_static; 1 elements

access-list inside_nat_static_17; 1 elements

access-list inside_nat_static_4; 1 elements

access-list inside_nat_static_6; 1 elements

access-list inside_nat_static_5; 1 elements

access-list inside_nat_static_2; 1 elements

access-list inside_nat_static_3; 1 elements

access-list inside_nat_static_9; 1 elements

access-list inside_nat_static_7; 1 elements

access-list inside_nat_static_8; 1 elements

access-list inside_nat_static_11; 1 elements

access-list inside_nat_static_10; 1 elements

access-list inside_nat_static_12; 1 elements

access-list inside_nat_static_13; 1 elements

access-list inside_nat_static_14; 1 elements

access-list inside_nat_static_15; 1 elements

access-list inside_nat_static_29; 2 elements

access-list inside_nat_static_16; 1 elements

access-list inside_nat_static_19; 1 elements

access-list inside_nat_static_20; 1 elements

access-list inside_nat_static_18; 1 elements

access-list inside_nat_static_21; 1 elements

access-list inside_nat_static_22; 2 elements

access-list inside_nat_static_24; 5 elements

access-list inside_nat_static_25; 1 elements

access-list dmz3-vpn_nat_static; 2 elements

access-list dmz3-vpn_nat_static_1; 4 elements

access-list inside_nat_static_26; 5 elements

access-list inside_nat_static_27; 2 elements

access-list inside_nat_static_28; 1 elements

access-list marco1; 4 elements

access-list Bacini_access_in; 14 elements

access-list inside_nat_static_23; 1 elements

Regards.

Andrea

Could you pls. try to add a dummy ace to an existing acl via CLI and tell me how long it takes to compile?

example.

conf t

access-list BrennerCom_access_in line 1 per icmp any any

You can remove it later.

-KS

Done.

FWSM takes one minute and 40 seconds to compile it.

Thanks.

Andrea

To add to Kureli's suggestions, you have about 10K rules. Unfortunately in order to test a new rule, all of them need to be recompiled. And with 10K rules it will take some time to recompile (1-2mins is normal). Note if you have ACL optimization enabled that will take a more time. You will not be losing traffic during that time, though, you really need to wait for the ACL to be complied to take effect and test them.

I hope it clarifies it a little.

PK

Many thanks for your answer.

Regards.

Andrea

Please mark this as answered if it is, so others can benefit in the future.

Take care,

PK

Marked.

Regards.

Andrea

Hi all I'm having the same issue I have a FWSM running 3.1(1)  when I add any ACL it took the FWSM about 7 minutes to apply it during that time the CPU hits 95%

-------------- CLS Rule Current Counts --------------

CLS Filter Rule Count       :             0

CLS Fixup Rule Count        :           105

CLS Est Ctl Rule Count      :             0

CLS AAA Rule Count          :             0

CLS Est Data Rule Count     :             0

CLS Console Rule Count      :            18

CLS Policy NAT Rule Count   :             0

CLS ACL Rule Count          :         70566

CLS ACL Uncommitted Add     :             0

CLS ACL Uncommitted Del     :             0

---------------- CLS Rule MAX Counts ----------------

CLS Filter MAX              :          2764

CLS Fixup MAX               :          4147

CLS Est Ctl Rule MAX        :           460

CLS Est Data Rule MAX       :           460

CLS AAA Rule MAX            :          6451

CLS Console Rule MAX        :          1843

CLS Policy NAT Rule MAX     :          1843

CLS ACL Rule MAX            :         74188

Help Please

Thanks,

Getting Started

Find answers to your questions by entering keywords or phrases in the Search bar above. New here? Use these resources to familiarize yourself with the community: