cancel
Showing results for 
Search instead for 
Did you mean: 
cancel
4717
Views
0
Helpful
6
Replies

object-group network limit

gmillerarmt
Level 1
Level 1

Does anybody know if there is a limit on the total number of network-objects that can belong to a single network object-group? ASA 5520 8.0.2

Thanks.

6 Replies 6

srue
Level 7
Level 7

here's my best guess. I don't believe it has to do with object-grouping itself. My guess is it's more a limit of the ACL's. I believe the following shows the number of acceptable entries in an ACL:

asa(config)# access-list outside_acl line ?

configure mode commands/options:

<1-2147483647> Line-number

so maybe 2,147,483,647 entires per ACL? keep in mind, just because using object-groups reduces the number of ACE's entered, all the ACE's are still there if you use the 'show access-list' command.

Ah. See, what I am trying to do is limit access to external services by a geoIPlocator script. Standard stuff w/ htaccess, iptables, and to build dynamically but I have never done this on an ASA. I want to refresh a network object group with about 34000 network objects monthly and corresponding ACL. So, if there isn't a hard limit on the number of network objects that leaves me about 63000 access lists that can be created with that specific object-group. If I follow what you are saying…

On a Pix535 with 256MB of RAM, I tried to

jam in about 250,000 lines in the ACL and the

Pix blew up, and this pix is running version

7.x code. The reality is not in the

config but how much acl it will translate

into when do you "show access-list".

Remember, you can have nested group within

group. That's where the trouble begin.

Another thing to remember is that the or ASA

is an flash appliance so there are limitations

to what it can and can not do.

Just to add to kevin's point. On a FWSM there is a command to show the acl count in the hardware "sh np x ???". Talk to someone in TAC to find an equivalent command for ASA. That is a very useful command if you are worried about the scalability limits.

Satya

Hi Satya

I'm not sure that would work because the limits on the FWSM are hard limits imposed by the hardware architecture whereas the limits on the pix boxes are soft limits ie. limits imposed by cpu/memory etc.

Jon

I tried to load a 515R, running 7.2.2, with just the network objects, no ACLs, and received nothing but memory allocation errors. The device was pretty much dead. I would receive memory allocation errors and the device would hang intermittently when just pinging it.

I upgraded the device to 8.0.3 and after loading up the 34000 network objects, the pix actually worked. None of the random memory allocation errors, the device didn't hang, and actually passed traffic. The problem came when i actually tried to create an ACL with the object-group, that's where I received memory allocation errors. But I believe that's just because I used all of the available memory.

Used memory reported after creating an ACL w/ object-group: 62007904 bytes (92%))

What's worse it looks like the pix allocated the memory, failed on creating the access-list and didn't give the memory back up.

Used memory before trying to create an ACL w/ object-group: 55402880 bytes (83%)

And with only 16MB of flash, I have a feeling,there probably isn't enough room to save the config once the ACLs are made with the corresponding object-groups.

Not having modified the ASA as extensively as the PIX I would assume that it will have the same issues with processing a higher number of network-objects and ACLs.

Should I forget trying this on the ASA/PIX and move to implement this on the edge routers?

Getting Started

Find answers to your questions by entering keywords or phrases in the Search bar above. New here? Use these resources to familiarize yourself with the community: