Buy or Renew
Buy or Renew
Cisco + Splunk: It’s a new day for your data. Learn more.
 
cancel
Turn on suggestions
Auto-suggest helps you quickly narrow down your search results by suggesting possible matches as you type.
Showing results for 
Search instead for 
Did you mean: 
cancel
Start a conversation
5035
Views
11
Helpful
12
Replies

FTD Deployed configurations are too large

dbogdan
Level 1
Level 1

‎04-20-2022 02:10 PM

Hi, 

 

I upgraded a pair of 5516-x firewalls to ftd version 7.0.1 and I'm getting the message above.  Detail below:   I have a very basic setup on these withe very few rules in my policies.  I was curious to know if anyone else has run into this issue and How you got out of it.  The firewalls are running fine, but I don't like to see messages like this.  I was on 6.4.0.14 and all was well.

 

Thanks

 

Configuration Memory Allocation
Apr 20, 2022 3:53 PM
Deployed configurations are too large.
Your deployed configurations require more memory than the system can allocate. Re-evaluate your configurations. Most often you can reduce the number or complexity of access control rules or intrusion policies. See the online help to learn best practices for access control.
Memory Allocation
Configuration Memory Required
Total Snort Memory2758.80 MB
Security Intelligence156.00 MB
DNS/URL Blacklisting19.00 MB
Policy Configuration Memory2124.66 MB
SSL Memory0 B
Available Memory361.92 MB
8 people had this problem
Labels:
12 Replies 12

MHM Cisco World
VIP
VIP

‎04-20-2022 03:12 PM

for ASA Screen Shot 2022-04-21 at 1.07.18 AM.png

even one simple ACL produce 24,255 rules !!! 
there is command for ASA but for FTD I will search and end you command.

dbogdan
Level 1
Level 1
In response to MHM Cisco World

‎04-20-2022 03:42 PM

Thank you so much for replying.  Yes that's crazy.

0 Helpful

Herald Sison
Level 3
Level 3
In response to dbogdan

‎10-16-2022 08:49 AM

i have the same problem. what was the fix for this one?

0 Helpful

Georg Pauwen
VIP
VIP
In response to Herald Sison

‎10-16-2022 09:03 AM

Hello,

did you try the fix mentioned in the screenshot ?

You can reduce the memory required to search access rules by enabling object group search, but this is at the expense rule lookup performance. When enabled, object group search does not expand network objects, but instead searches access rules for matches based on those group definitions. You can set this option using the object-group-search access-control command.


You can improve system performance and reliability by using the transactional commit model for access groups. See the basic settings chapter in the general operations configuration guide for more information. Use the asp rule-engine transactional-commit access-group command.

0 Helpful

Herald Sison
Level 3
Level 3
In response to Georg Pauwen

‎10-18-2022 10:37 PM

Hi Sir, i am running FTD and my CLI access is limited. would that command still run using the expert mode?

0 Helpful

Massimo Baschieri
Level 3
Level 3
In response to Herald Sison

‎10-19-2022 09:26 PM

On FTD managed by FMC you will find the object group search option into the GUI at device management - device properties, I don't know if the same applies for FDM.

Note that object group search reduce memory consumption at the expenses of cpu, if you have a very large rule set with intensive use of objects you may significantly reduce memory consumption but at the same time significantly increase cpu usage.

0 Helpful

Herald Sison
Level 3
Level 3
In response to Massimo Baschieri

‎10-20-2022 07:28 PM - edited ‎10-20-2022 07:48 PM

Hi Sir,

i have enabled the Object Group Search and it seems the error has not gone away (still present) but i will still keep my eye on this issue and will continue to monitor maybe this will be gone in a few. would you also recommend upgrading my Snort 2 to Snort 3? i read some KB about Snort3 is more scalable, flexible and may use lower memory compare to Snort 2. If i ever upgrade my Snort version is there any changes in my config?

 

Screenshot 2022-10-21 102633.jpgScreenshot 2022-10-21 102633.jpg

Thank you sir

 

 

0 Helpful

Massimo Baschieri
Level 3
Level 3
In response to Herald Sison

‎10-20-2022 09:36 PM

Cisco suggests to move to snort3 for efficiency and performance, but I have very few experience about it, I did it in my lab only and noticed not much difference, but it's a lab

Herald Sison
Level 3
Level 3
In response to Massimo Baschieri

‎10-20-2022 11:32 PM

i will try to upgrade my Snort this coming weekend. one last more question, after upgrading your Snort version did it used too much memory or just the same? Because i have no problem upgrading my Snort version but am bit hesitant if that upgrade would make any good or worsen my problem.

if Snort3 would rather used up more memory than the Snort2 then i rather stay in my current.

0 Helpful

dbogdan
Level 1
Level 1

‎10-17-2022 01:12 PM

Yes I read this.  The ASA is set up as an ASA with a sourcefire module running.  Are you saying that applying this command to the ASA will reduce the memory needed, or increase memory available on the Sourcefire module?

 

0 Helpful

Georg Pauwen
VIP
VIP
In response to dbogdan

‎10-18-2022 12:44 AM

Hello,

good question. Since the ASA and the SFR work in conjunction, reducing the required memory on the ASA should impact the SFR as well. Are there actually (a lot of) (nested) object groups in your ASA config ?

0 Helpful

Massimo Baschieri
Level 3
Level 3

‎10-17-2022 09:51 PM

A TAC engineer told me that this is a predictive alarm, based on your current configuration and some unknown traffic profiles you MAY run out of memory the way it explains in the table.

In short it's telling you that you are at risk of being out of memory and you have to start considering upgrading firewall model or disabling some function which consumes memory.

Cleaning access rules and/or enabling object group search is a possible way, but it depend on your environment how much effective it can be.

You can compltely disable the alarm on health policy, it's called "confoguration memory allocation" on 7.x releases, it had a different name in 6.x releases which I can't recall.   

0 Helpful
Customers Also Viewed These Support Documents