Original Message:
Sent: Jan 13, 2023 10:09 AM
From: koen
Subject: 716 idm: ACL error - insufficient policy engine resources
Workaround that worked for us: disable http fingerprinting
We were also promised that the issue will be fixed in upcoming release i.e. 16.11.0009 which would be Tentatively release by End of Jan 2023
Original Message:
Sent: Jan 13, 2023 09:02 AM
From: rafter_1
Subject: 716 idm: ACL error - insufficient policy engine resources
Thanks for this, we've also started to see this, on 2930F switches with AOS WC.16.11.0004. I'll have to wait until can get a reboot in to test if the issue goes away (probably for a while I guess)
I couldn't reproduce the issue in a lab - but that's probably because it was recently rebooted.
Has anyone updated to WC.16.11.0008 and seen this issue go away? I don't see anything in the release notes to suggest its been fixed...?
Original Message:
Sent: Sep 23, 2022 11:54 AM
From: koen
Subject: 716 idm: ACL error - insufficient policy engine resources
For those running in to the same issue..
Reboot of the affect stack member did NOT fix the issue.
Reboot of the entire stack did resolve the issue.
Original Message:
Sent: Sep 22, 2022 06:16 AM
From: Koen V
Subject: 716 idm: ACL error - insufficient policy engine resources
In our case we are already running wc16.11.0006 and we first saw this issue on this release.
I don't believe it is an actual resource issue. Not one caused be resource usage anyway. We only use a few small ACL and the switch is lightly loaded with users compared to other switches with exactly the same ACLs.
If I interpret the output below correctly, line 22 says no resources are available while none are used?
Userguide isn't too helpful either.
Oh, and no foundation care so TAC won't look at the ticket.
Resource usage in Policy Enforcement EngineIngress Policy Enforcement Engine RulesResource usage in Policy Enforcement Engine | Rules | Rules Used Ports | Available | ACL | QoS | IDM | VT | Mirr | PBR | OF | Other |--------------+-----------+-----+-----+-----+-----+------+-----+------+-------|1/1-48,A | 3842 | 0 | 0 | 208 | 0 | 0 | 0 | 0 | 266 |2/1-48,A | 4052 | 0 | 0 | 0 | 0 | 0 | 0 | 0 | 56 |Ingress Policy Enforcement Engine Meters | Meters | Meters Used Ports | Available | ACL | QoS | IDM | VT | Mirr | PBR | OF | Other |--------------+-----------+-----+-----+-----+-----+------+-----+------+-------|1/1-48,A | 1782 | | 0 | 1 | 0 | | | 0 | 0 |2/1-48,A | 0 | | 0 | 0 | 0 | | | 0 | 0 |Ingress Policy Enforcement Engine Port Ranges |Application| |Port Ranges| Application Port Ranges Used Ports | Available | ACL | QoS | IDM | VT | Mirr | PBR | OF | Other |--------------+-----------+-----+-----+-----+-----+------+-----+------+-------|1/1-48,A | 60 | 0 | 0 | 0 | | 0 | 0 | 0 | 0 |2/1-48,A | 60 | 0 | 0 | 0 | | 0 | 0 | 0 | 0 |Ingress Policy Enforcement Engine PBR Resources | PBR | | Next-hops | PBR Next-hops Used Ports | Available | ACL | QoS | IDM | VT | Mirr | PBR | OF | Other |--------------+-----------+-----+-----+-----+-----+------+-----+------+-------|1/1-48,A | 1024 | | | | | | 0 | | 0 |2/1-48,A | 1024 | | | | | | 0 | | 0 |7 of 32 Policy Engine management resources used.Egress Policy Enforcement Engine RulesResource usage in Policy Enforcement Engine | Rules | Rules Used Ports | Available | ACL | QoS | IDM | VT | Mirr | PBR | OF | Other |--------------+-----------+-----+-----+-----+-----+------+-----+------+-------|1/1-48,A | 2032 | 0 | 0 | 0 | 0 | 0 | 0 | 0 | 0 |2/1-48,A | 2032 | 0 | 0 | 0 | 0 | 0 | 0 | 0 | 0 |Egress Policy Enforcement Engine Meters | Meters | Meters Used Ports | Available | ACL | QoS | IDM | VT | Mirr | PBR | OF | Other |--------------+-----------+-----+-----+-----+-----+------+-----+------+-------|1/1-48,A | 1023 | | 0 | 0 | 0 | | | 0 | 0 |2/1-48,A | 1023 | | 0 | 0 | 0 | | | 0 | 0 |Egress Policy Enforcement Engine Port Ranges |Application| |Port Ranges| Application Port Ranges Used Ports | Available | ACL | QoS | IDM | VT | Mirr | PBR | OF | Other |--------------+-----------+-----+-----+-----+-----+------+-----+------+-------|1/1-48,A | 60 | 0 | 0 | 0 | | 0 | 0 | 0 | 0 |2/1-48,A | 60 | 0 | 0 | 0 | | 0 | 0 | 0 | 0 |0 of 8 Policy Engine management resources used.Key: ACL = Access Control Lists QoS = Device & Application Port Priority, QoS Policies, ICMP rate limitsIDM = Identity Driven ManagementVT = Virus Throttling blocksMirr = Mirror Policies, Remote Intelligent Mirror endpointsPBR = Policy Based Routing PoliciesOF = OpenFlowOther = Management VLAN, DHCP Snooping, ARP Protection, Jumbo IP-MTU, RA Guard, Control Plane Protection, Service Tunnel, ND Snooping, UWW, mDNS, tunneled-node-server, copp, ICMP rate-limit, Unknown Unicast rate-limit, IGMP filter unknown multicast.Resource usage includes resources actually in use, or reserved for futureuse by the listed feature. Internal dedicated-purpose resources, such asport bandwidth limits or VLAN QoS priority, are not included.
Original Message:
Sent: Sep 21, 2022 02:37 PM
From: Herman Robers
Subject: 716 idm: ACL error - insufficient policy engine resources
Try to upgrade to the lastest firmware as I have found some references where that fixed the issue, if you still see it afterwards check with TAC what is using up your resources. I don't know the commands to find the limits and actual usage. TAC may also know a way to workaround, as I think not all ACLs/ACEs are the same, and some can be reused where others can't; but don't know the exact details.
------------------------------
Herman Robers
------------------------
If you have urgent issues, always contact your Aruba partner, distributor, or Aruba TAC Support. Check https://www.arubanetworks.com/support-services/contact-support/ for how to contact Aruba TAC. Any opinions expressed here are solely my own and not necessarily that of Hewlett Packard Enterprise or Aruba Networks.
In case your problem is solved, please invest the time to post a follow-up with the information on how you solved it. Others can benefit from that.
Original Message:
Sent: Sep 21, 2022 12:09 PM
From: Koen V
Subject: 716 idm: ACL error - insufficient policy engine resources
Dig you ever get this 'resolved'?
I am running into the same issue where I cannot believe we actually we ran out of resources (tiny ACLs, lightly loaded ACLs)... unless some process or the likes crashed/hung up/....
Original Message:
Sent: Oct 20, 2020 09:56 PM
From: Alan Scott
Subject: 716 idm: ACL error - insufficient policy engine resources
Trying to 801.x auth a printer into switch role called Printer. CPPM is sending the correct role to the switch we do this configuration all the time. This is on a 2930F switch with AOS WC.16.10.0009. A show log shows an error. I have a TAC case open but hoping for a quicker answer. Any idea how I can fix this? We use the same config on all our switches and I do not have this issue anywhere else on over 150 switches with the same configs.
I 10/20/20 19:08:05 00076 ports: port 12 is now on-line
I 10/20/20 19:08:05 00435 ports: port 12 is Blocked by AAA
W 10/20/20 19:08:05 00716 idm: ACL error - insufficient policy engine resources, client 9C934EA86510, port 12
show access-list resources
Resource usage in Policy Enforcement Engine
Ingress Policy Enforcement Engine Rules
Resource usage in Policy Enforcement Engine
| Rules | Rules Used
Ports | Available | ACL | QoS | IDM | VT | Mirr | PBR | OF | Other |
--------------+-----------+-----+-----+-----+-----+------+-----+------+-------|
1-52 | 3752 | 0 | 92 | 120 | 0 | 0 | 0 | 0 | 96 |
Ingress Policy Enforcement Engine Meters
| Meters | Meters Used
Ports | Available | ACL | QoS | IDM | VT | Mirr | PBR | OF | Other |
--------------+-----------+-----+-----+-----+-----+------+-----+------+-------|
1-52 | 2044 | | 0 | 1 | 0 | | | 0 | 2 |
Ingress Policy Enforcement Engine Port Ranges
|Application|
|Port Ranges| Application Port Ranges Used
Ports | Available | ACL | QoS | IDM | VT | Mirr | PBR | OF | Other |
--------------+-----------+-----+-----+-----+-----+------+-----+------+-------|
1-52 | 56 | 0 | 3 | 0 | | 0 | 0 | 0 | 2 |
Ingress Policy Enforcement Engine PBR Resources
| PBR |
| Next-hops | PBR Next-hops Used
Ports | Available | ACL | QoS | IDM | VT | Mirr | PBR | OF | Other |
--------------+-----------+-----+-----+-----+-----+------+-----+------+-------|
1-52 | 1024 | | | | | | 0 | | 0 |
7 of 32 Policy Engine management resources used.
Egress Policy Enforcement Engine Rules
Resource usage in Policy Enforcement Engine
Ports | Available | ACL | QoS | IDM | VT | Mirr | PBR | OF | Other |
--------------+-----------+-----+-----+-----+-----+------+-----+------+-------|
1-52 | 2032 | 0 | 0 | 0 | 0 | 0 | 0 | 0 | 0 |
Egress Policy Enforcement Engine Meters
| Meters | Meters Used
Ports | Available | ACL | QoS | IDM | VT | Mirr | PBR | OF | Other |
--------------+-----------+-----+-----+-----+-----+------+-----+------+-------|
1-52 | 1023 | | 0 | 0 | 0 | | | 0 | 0 |
|Application|
|Port Ranges| Application Port Ranges Used
Ports | Available | ACL | QoS | IDM | VT | Mirr | PBR | OF | Other |
--------------+-----------+-----+-----+-----+-----+------+-----+------+-------|
1-52 | 60 | 0 | 0 | 0 | | 0 | 0 | 0 | 0 |
0 of 8 Policy Engine management resources used.
Key:
ACL = Access Control Lists
QoS = Device & Application Port Priority, QoS Policies, ICMP rate limits
IDM = Identity Driven Management
VT = Virus Throttling blocks
Mirr = Mirror Policies, Remote Intelligent Mirror endpoints
PBR = Policy Based Routing Policies
OF = OpenFlow
Other = Management VLAN, DHCP Snooping, ARP Protection, Jumbo IP-MTU,
RA Guard, Control Plane Protection, Service Tunnel, ND Snooping, UWW,
mDNS, tunneled-node-server, copp, ICMP rate-limit,
Unknown Unicast rate-limit.
Resource usage includes resources actually in use, or reserved for future
use by the listed feature. Internal dedicated-purpose resources, such as
port bandwidth limits or VLAN QoS priority, are not included.