Access rules won't get added after reaching a limit between a specific Zone to Zone.
Device: NSA 3500
Firmware Tested: 18.104.22.168 and 22.214.171.124
In the scenario explained below customer is unable to add rule From VPN To LAN.
Customer already had 309 custom access rules added and NSA 3500 supports maximum of 1000 VPN SAs and one access rule per SA.
Below is the analysis done on the basis of customer’s environment :
Auto added Access rules for a VPN policy : 1012
Custom access rules added by customer : 300
In this scenario, customer has created/modified 300 custom rules already between VPN to LAN. It is by design that it is not allowing him to add any more rule between VPN to LAN.
So the conclusion to the above discussed scenario is that the issue is not with the firmware or device, it’s simply a device limitation that can be overcome by an upgrade to a Gen 6 device ( E.g. NSA 3600) which supports up to 600 custom rules per specific zone to zone.