We update fwsm acl's by editing textfiles (partial automatically) (with 'clear configure access-list <>' in the top and 'access-list commit' in the bottom)and then tftp'ing them to the fwsms. However scripting this process with 'Expect' has caused the active fwsm to now and then partially freeze on the management access (normal traffic ok)(Configuration update in progress by another process....) with no recover except forced failover and reload. ACL size has no influence apparantly. The problem has not occured when doing it manually:
copy tftp run
Any ideas for a fix ? And what is best practice for acl updates (~ 55 same security level interfaces in single mode) I don't think asdm is the solution.
Access lists are made up of one or more Access Control Entries. An ACE is a single entry in an access list that specifies a permit or deny rule, and is applied to a protocol, a source and destination IP address or network, and optionally the source and destination ports.
Refer the following url for more information on configuring and adding ACLS in FWSM:
Thanks for the answer - I know my acl fundamentals though - the problem is/was how to update entire acl's not ace's (with up to 3000 ace's - total amount of ace's in use: ~19.000 ~ 20 % memory usage) with scripting. The problem seems to have been solved by slowing down the script and carefully assuring that one step has completed before the next is starting.
Funny - the supplied link doesn't offer any information on the differences between manual- and auto commit ( auto-commit is where the ace's are compiled line by line, which can take really long time if you substitute an entire acl.
Table of ContentsIntroductionVersion HistoryPossible Future
UpdatesDocuments PurposeNAT Operation in ASA 8.3+ SectionsRule Types
Network Object NATTwice NAT / Manual NATRule Types used per SectionNAT
Types used with Twice NAT / Manual NAT and Network Obje...
Table of Contents Introduction:This document describes details on how
NAT-T works. Background: ESP encrypts all critical information,
encapsulating the entire inner TCP/UDP datagram within an ESP header.
ESP is an IP protocol in the same sense that TCP an...