Buy or Renew
Buy or Renew
cancel
Turn on suggestions
Auto-suggest helps you quickly narrow down your search results by suggesting possible matches as you type.
Showing results for 
Search instead for 
Did you mean: 
cancel
Start a conversation
622
Views
5
Helpful
2
Replies

Cisco ASA 5545 x mem at 93%

Steve Coady
Level 1
Level 1

‎01-24-2018 08:17 AM - edited ‎02-21-2020 07:12 AM

All

 

I have an ASA HA pair where the primaryt shows 93% mem used. The secondary is at 64%.

 

The reason for the difference was a unique vpn that was created only on the primary. Due to there was only 1 uplink to the ISP switch. This vpn does have a redundant link through a different ASA. This redundant vpn was already in place. 

 

I have read that memory is used up by acl's, conn table and Xlate table. ACL's expand to show each line when using show access-list.

 

Will the following command provide any relief? What are Pro's/con's?

 

object-group-search access-control

 

 

 

 

sMc
Labels:
0 Helpful
2 Replies 2

Bogdan Nita
VIP Alumni
VIP Alumni

‎01-24-2018 09:11 AM

pro: less memory used by acls

con: acl rule lookup slower

 

You can reduce the memory required to search access rules by enabling object group search, but this is at the expense rule lookup performance. When enabled, object group search does not expand network objects, but instead searches access rules for matches based on those group definitions. You can set this option using the object-group-search access-control command.

https://www.cisco.com/c/en/us/td/docs/security/asa/asa92/configuration/firewall/asa-firewall-cli/access-rules.html

 

HTH

Bogdan

0 Helpful

Steve Coady
Level 1
Level 1
In response to Bogdan Nita

‎05-10-2018 07:02 AM

Hello

 

I am not sure I understand the impact of "at the expense rule lookup performance".

I have checked forum and internet. It almost seems like using the command, object-group-search access-control, is a bad idea.

 

 

sMc
Customers Also Viewed These Support Documents
Review Cisco Networking for a $25 gift card