02-07-2013 03:16 PM - edited 03-11-2019 05:57 PM
I am trying to ssh to the inside interface of a remote firewall through an IPSec tunnel, but it just times out. I have an "ssh x.x.x.x x.x.x.x inside" rule to allow my connection, and I have "management-access inside" enabled. I see in the log that the connection is built.
Built inbound TCP connection 5526788 for outside:10.0.37.96/65067 (10.0.37.96/65067) to inside:172.29.11.254/22 (172.29.11.254/22)
After more troubleshooting I found that the device is dropping the packet due to "Punt no memory" which I can see if I do an asp-drop capture.
16:06:26.490285 10.0.37.96.65067 > 172.29.11.254.22: S 1843499779:1843499779(0) win 8192 <mss 1340,nop,wscale 8,nop,nop,sackOK> Drop-reason: (punt-no-mem) Punt no memory
I also tried connecting to the inside int via https, and that produced the same results (i.e. punt-no-mem).
Looking at Cisco docs it seems this might indicate a memory shortage, but we have plenty of memory available.
FW# sh mem
Free memory: 1434398544 bytes (67%)
Used memory: 713085104 bytes (33%)
------------- ------------------
Total memory: 2147483648 bytes (100%)
What else could cause this? BTW, I can ssh to the outside interface just fine.
I have an ASA 5512-X running version 8.6(1)6
Solved! Go to Solution.
02-07-2013 03:29 PM
Possibly a misconfiguration as per the following bug: CSCuc40450
http://tools.cisco.com/Support/BugToolKit/search/getBugDetails.do?method=fetchBugDetails&bugId=CSCuc40450
02-07-2013 03:29 PM
Possibly a misconfiguration as per the following bug: CSCuc40450
http://tools.cisco.com/Support/BugToolKit/search/getBugDetails.do?method=fetchBugDetails&bugId=CSCuc40450
02-07-2013 07:10 PM
Thank you Jennifer. I added "route-lookup" to my nat rule, and that fixed the issue. I don't quite understand why that was necessary, but it did the trick.
Find answers to your questions by entering keywords or phrases in the Search bar above. New here? Use these resources to familiarize yourself with the community: