02-07-2013 03:16 PM - edited 03-11-2019 05:57 PM
I am trying to ssh to the inside interface of a remote firewall through an IPSec tunnel, but it just times out. I have an "ssh x.x.x.x x.x.x.x inside" rule to allow my connection, and I have "management-access inside" enabled. I see in the log that the connection is built.
Built inbound TCP connection 5526788 for outside:10.0.37.96/65067 (10.0.37.96/65067) to inside:172.29.11.254/22 (172.29.11.254/22)
After more troubleshooting I found that the device is dropping the packet due to "Punt no memory" which I can see if I do an asp-drop capture.
16:06:26.490285 10.0.37.96.65067 > 172.29.11.254.22: S 1843499779:1843499779(0) win 8192 <mss 1340,nop,wscale 8,nop,nop,sackOK> Drop-reason: (punt-no-mem) Punt no memory
I also tried connecting to the inside int via https, and that produced the same results (i.e. punt-no-mem).
Looking at Cisco docs it seems this might indicate a memory shortage, but we have plenty of memory available.
FW# sh mem
Free memory: 1434398544 bytes (67%)
Used memory: 713085104 bytes (33%)
------------- ------------------
Total memory: 2147483648 bytes (100%)
What else could cause this? BTW, I can ssh to the outside interface just fine.
I have an ASA 5512-X running version 8.6(1)6
Solved! Go to Solution.
02-07-2013 03:29 PM
Possibly a misconfiguration as per the following bug: CSCuc40450
http://tools.cisco.com/Support/BugToolKit/search/getBugDetails.do?method=fetchBugDetails&bugId=CSCuc40450
02-07-2013 03:29 PM
Possibly a misconfiguration as per the following bug: CSCuc40450
http://tools.cisco.com/Support/BugToolKit/search/getBugDetails.do?method=fetchBugDetails&bugId=CSCuc40450
02-07-2013 07:10 PM
Thank you Jennifer. I added "route-lookup" to my nat rule, and that fixed the issue. I don't quite understand why that was necessary, but it did the trick.
Discover and save your favorite ideas. Come back to expert answers, step-by-step guides, recent topics, and more.
New here? Get started with these tips. How to use Community New member guide