Buy or Renew
Buy or Renew
Duo Security forums now LIVE! Get answers to all your Duo Security questions. Learn more
cancel
Turn on suggestions
Auto-suggest helps you quickly narrow down your search results by suggesting possible matches as you type.
Showing results for 
Search instead for 
Did you mean: 
cancel
Start a conversation
4775
Views
0
Helpful
11
Replies

ASA 5525X with Firepower high memory utilization

jackk.rayen
Level 1
Level 1

‎12-26-2016 01:20 AM - edited ‎03-12-2019 06:14 AM

Hi ,

i have a problem with firepower service ,  asa 5525x with firepower service was implemented in internet edge and the bandwidth is about 50M. in firepower i just do inspection with ips and during a week the RAM utilization rise about 90percent ,  how can i overcome with this problem ??

here is screenshot

1 person had this problem
Labels:
Preview file
158 KB
0 Helpful
11 Replies 11

nspasov
Cisco Employee
Cisco Employee

‎12-30-2016 05:42 PM

Hi there! I have a couple of questions:

1. What version and patch level do you have running on FirePOWER

2. What version of ASA code do you have running on the ASA

3. What is highest connection count that you have seen on the Firewall

Thank you for rating helpful posts!

0 Helpful

jackk.rayen
Level 1
Level 1
In response to nspasov

‎12-30-2016 11:05 PM

Hi ,

thanks for your reply ,

1. FirePower management center version is 6.0.1 (build 1213) and firepower Sensor version is 6.0.1-29,

2. my asa 5525X is running 9.4.3-12 code version

3. when i get "sho conn" it sees about "10000" connection ,

thanks

0 Helpful

nspasov
Cisco Employee
Cisco Employee
In response to jackk.rayen

‎01-01-2017 11:41 PM

The # of connections that you are showing is nowhere near the limit of that box so I don't think that is the issue. I think it is most likely a bug related with the FirePOWER code. There has been two patches released for the 6.0.1 train and both of them appear to address some defects related to memory. I would suggest upgrading to the latest patch and see if that takes care of the issue. 

Thank you for rating helpful posts!

0 Helpful

jackk.rayen
Level 1
Level 1
In response to nspasov

‎01-02-2017 10:10 PM

Thanks for your reply , yes I will try it

thanks

0 Helpful

Claudiu Cismaru
Cisco Employee
Cisco Employee
In response to jackk.rayen

‎01-02-2017 09:17 AM

If the FP module shows 90% memory utilization, you should not care about it, unless you have other detection issues with (like hitting memory leaks bugs).

The FP module is designed to use all memory available for detection.

0 Helpful

jackk.rayen
Level 1
Level 1
In response to Claudiu Cismaru

‎01-02-2017 10:08 PM

Hi,

you correct but High memory utilization has a very bad effect on my production network. when the memory rise ping time and latency also increase and all transaction will be slow and when I test communication via PING , I get timeout in y communication ,

thanks

0 Helpful

Claudiu Cismaru
Cisco Employee
Cisco Employee
In response to jackk.rayen

‎01-03-2017 12:48 AM

Update to the latest 6.0.x or go with 6.1, if you can.

6.0.1 is pretty outdated as for now. There were multiple issues with latency, memory usage already fixed.

0 Helpful

kevin.phamakao
Level 1
Level 1

‎01-19-2017 08:21 AM

Hi Jack,

I have the same problem sporadically effecting my Cisco ASA5525-x with FirePower services.

I've involved Cisco TAC several times and they had recommended that I bring my base policy in my intrusion from "Maximum". I changed it to "Security of Connectivity" and had the same problem, and then TAC stated that this was worse than "Maximum", and recommended I change it to "Balanced Security and Connectivity". The issue still occurred sporadically so this didn't seem to be the root cause.

At this time, I have a scheduled maintenance to update to 6.1.0.2, but the path to the latest version is so confusing and convoluted. I'm running 6.0.0.1 currently. 

I'm currently in communications with Cisco TAC and they stated to run the updates in the following order:

Version 6.0.0.1 > Version 6.0.1 Pre-Installation Package > Version 6.0.1. > Version 6.1 Pre-Installation Package > Version 6.1 > Version 6.1.0.1 > Version 6.1.0 Hotfix AF

However, I'm waiting on clarification on the "Pre-Installation Package", because there is a "Sensor" pre-install and a "SourceFire Defense Center (now FireSight Manager)" pre-install. They aren't clear as to which pre-install you need to apply.

0 Helpful

kevin.phamakao
Level 1
Level 1
In response to kevin.phamakao

‎01-19-2017 09:12 AM

Received clarification that the pre-install is indeed for the Source Fire Defense Center (FSM).

0 Helpful

Claudiu Cismaru
Cisco Employee
Cisco Employee
In response to kevin.phamakao

‎01-19-2017 11:10 AM

As I told Jack, 6.0.0.1 is a bit outdated, also.

6.1.x have some issues as well, you should go with the latest and the hotfixes applied.

As I mentioned before, 90% could be normal unless there are other problems. The devices are designed to use all the resources available (what's the point of having n GB of memory and to use only n/2 or less?!)

0 Helpful

Dennis Perto
Level 5
Level 5

‎01-26-2017 05:48 AM

The ASA5525 should have 8GB of memory. 

4 for the ASA and yet another 4 for Firepower. You only see 3.4GB. 

Are the memory okay?

I just sent an 5545X for RMA because of RAM failure.

ASA and Firepower was still running, but barely.

0 Helpful
Customers Also Viewed These Support Documents
Review Cisco Networking for a $25 gift card