Cisco Support Community
cancel
Showing results for 
Search instead for 
Did you mean: 

Unable to generate rules on CSA MC and the "Rules for abc.xyz have complexity xxxx which exceeds the maximum of 7500" error message appears

Core issue

The Rules for abc.xyz have complexity xxxx which exceeds the maximum of 7500 error message occurs because of the complexity check. Complexity is a check on the number of literals and number of distinct rules applied to a particular host. A literal is anything defined in a fileset.

For example, foo.exe is 1 literal and foo.exe, foo2.exe are two literals. In order to reduce the literals and thus generate rules successfully, you need to wildcard and generalize when possible. So foo*.exe changes the literals to 1 from 2, for example, from foo.exe and foo2.exe. The maximum literals is 7500.

The purpose is to prevent end systems slowness due to excessive processing time spent in every rule engine transaction.

Resolution

In order to resolve this issue, reduce your rule set slightly and examine for duplicates.

An easy way to  examine the duplicates is to choose Configuration > Policies. Scroll down to your policy and click the policy. On the next screen, scroll past the modules and onto the section called Combined Policy Rules.  In this section, you see headers such as ID, Type, Status, Action, Log, and so forth. Click directly on the Type heading.  This sorts the rules by type.

Version history
Revision #:
1 of 1
Last update:
‎06-22-2009 04:07 PM
Updated by:
 
Labels (1)