12-03-2007 11:22 AM - edited 03-11-2019 04:38 AM
Does anybody know if there is a limit on the total number of network-objects that can belong to a single network object-group? ASA 5520 8.0.2
Thanks.
12-03-2007 11:32 AM
here's my best guess. I don't believe it has to do with object-grouping itself. My guess is it's more a limit of the ACL's. I believe the following shows the number of acceptable entries in an ACL:
asa(config)# access-list outside_acl line ?
configure mode commands/options:
<1-2147483647> Line-number
so maybe 2,147,483,647 entires per ACL? keep in mind, just because using object-groups reduces the number of ACE's entered, all the ACE's are still there if you use the 'show access-list' command.
12-03-2007 11:49 AM
Ah. See, what I am trying to do is limit access to external services by a geoIPlocator script. Standard stuff w/ htaccess, iptables, and to build dynamically but I have never done this on an ASA. I want to refresh a network object group with about 34000 network objects monthly and corresponding ACL. So, if there isn't a hard limit on the number of network objects that leaves me about 63000 access lists that can be created with that specific object-group. If I follow what you are sayingâ¦
12-04-2007 09:15 AM
On a Pix535 with 256MB of RAM, I tried to
jam in about 250,000 lines in the ACL and the
Pix blew up, and this pix is running version
7.x code. The reality is not in the
config but how much acl it will translate
into when do you "show access-list".
Remember, you can have nested group within
group. That's where the trouble begin.
Another thing to remember is that the or ASA
is an flash appliance so there are limitations
to what it can and can not do.
12-04-2007 09:52 AM
Just to add to kevin's point. On a FWSM there is a command to show the acl count in the hardware "sh np x ???". Talk to someone in TAC to find an equivalent command for ASA. That is a very useful command if you are worried about the scalability limits.
Satya
12-04-2007 10:23 AM
Hi Satya
I'm not sure that would work because the limits on the FWSM are hard limits imposed by the hardware architecture whereas the limits on the pix boxes are soft limits ie. limits imposed by cpu/memory etc.
Jon
12-05-2007 09:11 AM
I tried to load a 515R, running 7.2.2, with just the network objects, no ACLs, and received nothing but memory allocation errors. The device was pretty much dead. I would receive memory allocation errors and the device would hang intermittently when just pinging it.
I upgraded the device to 8.0.3 and after loading up the 34000 network objects, the pix actually worked. None of the random memory allocation errors, the device didn't hang, and actually passed traffic. The problem came when i actually tried to create an ACL with the object-group, that's where I received memory allocation errors. But I believe that's just because I used all of the available memory.
Used memory reported after creating an ACL w/ object-group: 62007904 bytes (92%))
What's worse it looks like the pix allocated the memory, failed on creating the access-list and didn't give the memory back up.
Used memory before trying to create an ACL w/ object-group: 55402880 bytes (83%)
And with only 16MB of flash, I have a feeling,there probably isn't enough room to save the config once the ACLs are made with the corresponding object-groups.
Not having modified the ASA as extensively as the PIX I would assume that it will have the same issues with processing a higher number of network-objects and ACLs.
Should I forget trying this on the ASA/PIX and move to implement this on the edge routers?
Find answers to your questions by entering keywords or phrases in the Search bar above. New here? Use these resources to familiarize yourself with the community: