Buy or Renew
Buy or Renew
Duo Security forums now LIVE! Get answers to all your Duo Security questions. Learn more
cancel
Turn on suggestions
Auto-suggest helps you quickly narrow down your search results by suggesting possible matches as you type.
Showing results for 
Search instead for 
Did you mean: 
cancel
Start a conversation
2934
Views
0
Helpful
2
Replies

asp drop Punt no memory (punt-no-mem)

Go to solution
craig.petty
Level 1
Level 1

‎02-07-2013 03:16 PM - edited ‎03-11-2019 05:57 PM

I am trying to ssh to the inside interface of a remote firewall through an IPSec tunnel, but it just times out.  I have an "ssh x.x.x.x x.x.x.x inside" rule to allow my connection, and I have "management-access inside" enabled.  I see in the log that the connection is built.

Built inbound TCP connection 5526788 for outside:10.0.37.96/65067 (10.0.37.96/65067) to inside:172.29.11.254/22 (172.29.11.254/22)

After more troubleshooting I found that the device is dropping the packet due to "Punt no memory" which I can see if I do an asp-drop capture.

16:06:26.490285 10.0.37.96.65067 > 172.29.11.254.22: S 1843499779:1843499779(0) win 8192 <mss 1340,nop,wscale 8,nop,nop,sackOK> Drop-reason: (punt-no-mem) Punt no memory

I also tried connecting to the inside int via https, and that produced the same results (i.e. punt-no-mem).

Looking at Cisco docs it seems this might indicate a memory shortage, but we have plenty of memory available.

FW# sh mem

Free memory:        1434398544 bytes (67%)

Used memory:         713085104 bytes (33%)

-------------     ------------------

Total memory:       2147483648 bytes (100%)

What else could cause this?  BTW, I can ssh to the outside interface just fine.

I have an ASA 5512-X running version 8.6(1)6

Labels:
0 Helpful
1 Accepted Solution

Accepted Solutions
2 Replies 2

Go to solution
Jennifer Halim
Cisco Employee
Cisco Employee

‎02-07-2013 03:29 PM

Possibly a misconfiguration as per the following bug: CSCuc40450

http://tools.cisco.com/Support/BugToolKit/search/getBugDetails.do?method=fetchBugDetails&bugId=CSCuc40450

0 Helpful

Go to solution
craig.petty
Level 1
Level 1
In response to Jennifer Halim

‎02-07-2013 07:10 PM

Thank you Jennifer.  I added "route-lookup" to my nat rule, and that fixed the issue.  I don't quite understand why that was necessary, but it did the trick.

0 Helpful
Getting Started

Find answers to your questions by entering keywords or phrases in the Search bar above. New here? Use these resources to familiarize yourself with the community:

Customers Also Viewed These Support Documents
Review Cisco Networking products for a $25 gift card