Hey Alexis, I opened a TAC case as well. It may be worth it just to have them explain it to you better. Basically, every netdestination (source, destination, service) you use in an ACL is added to the total list of hit-indices. The way the TAC explained it to me is that it's (number of sources) * (number of destinations) * (number of services) in a single ACL will then be added together for the Mobility Devices.
so if you have
Source: 10.1.0.0/16 and 10.2.0.0/16 = 2 netdestinations
Dest: 10.3.0.0/16 = 1 netdestination
Services: 22, 80, 443 = 3 net destinations
So this ACL would have 2 * 1 * 3 = 6 hit-indices which are added to the total. The limit on hit-indices for a mobility device is 8,192.
I was getting very granular with my rules. Lots of individual IPs in lots of different ACLs and I am hitting this limit. I don't currently have a solution around it.
I have been told that in a version of code that just came out (you'll have to excuse my ignorance on code versions, I'm new to this. I think it's 6.8.8?) The hit-indices will be 0 by default and you can turn them on with a debug command per ACL for troubleshooting.
Unfortunately, we have a very large environment and won't be using this code until it becomes the conservative version which won't be for a very long time.
We also have an third party Aruba engineer working on a solution that pushes the ACLs down from Clearpass, instead of making them on the Mobility Master. He thinks this will not use the hit-indices limit, but we haven't tested it yet.
I hope this helps.
------------------------------
Grant Hays
------------------------------
Original Message:
Sent: Apr 27, 2021 06:40 AM
From: Alexis La Goutte
Subject: Mobility Master Policy Deployment Failure
Hi Grant,
Do you have found a solution ? i think need to open a case on TAC (What MM release ?)
------------------------------
PowerArubaSW : Powershell Module to use Aruba Switch API for Vlan, VlanPorts, LACP, LLDP...
PowerArubaCP: Powershell Module to use ClearPass API (create NAD, Guest...)
PowerArubaCX: Powershell Module to use ArubaCX API (get interface/vlan/ports info)..
ACEP / ACMX #107 / ACDX #1281
Original Message:
Sent: Apr 14, 2021 08:05 PM
From: Grant Hays
Subject: Mobility Master Policy Deployment Failure
I have been hitting an error for a few weeks now and I'm not sure what I'm doing wrong.
I just built a new policy for a tunneled node role. It's got 22 rules in it. I built it with 16 rules initially and deployed to the controllers. No issue. I then added 6 more rules and now 10 of the 12 controllers are failing to deploy. Then when I remove the 6 I added, I still have the same errors in the deployment status.
The error I receive is
Process: Authentication
Command: alias <alias name> user <service alias> permit log
Message: Can't add policy to ACL '<policy name>', needs 8 hits indicies, have only 5 hits indices.
The hits index numbers are different on some controllers too. Sometimes it's a different command as well.
Any help would be greatly appreciated.
------------------------------
Grant Hays
------------------------------