10-10-2012 06:22 AM - edited 03-11-2019 05:07 PM
Hi There.
I am currently getting a strange error when trying to use and crypto services on our ASA 5520 (8.0.3)
Initially I observed that a connected VPN had dropped.
Then when I attempted to use ASDM or SSH I was blocked.
In the end I opened telnet as a test and this was successful. Syslog also shows that traffic is passing as normal.
The only obvious error I can see when observing various debug traces is this;
FW02# CTM: rsa session with no priority allocated @ 0xCF1FBBA0
CTM: Session 0xCF1FBBA0 uses a nlite (Nitrox Lite) as its hardware engine
CTM: rsa context allocated for session 0xCF1FBBA0
CTM: rsa session with no priority allocated @ 0xCE7A5EA8
CTM: Session 0xCE7A5EA8 uses a nlite (Nitrox Lite) as its hardware engine
CTM: rsa context allocated for session 0xCE7A5EA8
CTM: rsa session with no priority allocated @ 0xCEF249D0
CTM: Session 0xCEF249D0 uses a nlite (Nitrox Lite) as its hardware engine
CTM: rsa context allocated for session 0xCEF249D0
CTM: dh session with no priority allocated @ 0xCEF249D0
CTM: Session 0xCEF249D0 uses a nlite (Nitrox Lite) as its hardware engine
CTM: dh context allocated for session 0xCEF249D0
CTM ERROR: Failed to allocate 279 bytes of memory, ctm_nlite_generate_dh_key_pair:183
Has anyone seen anything like this before as I am lost?
Mike
Solved! Go to Solution.
10-10-2012 06:58 AM
Hi Mike,
Yes, you are out of crypto memory. There could be a few reasons ;-) The bug you cite is one of them.
Unfortunately, at this point you have to reload to get the memory back. You can't reload just the crypto sub-system.
Sincerely,
David.
10-10-2012 06:48 AM
Sounds like the ASA is out of DMA memory (show memory detail - should indicate this). There could be a number of reasons why... Your logging config, snmp config, etc.... or a bug. However it may take some troubelshooting to determine what is causing it.
For now, capture a 'show tech' and "show memory detail". At this point, you will most likely need to reload the ASA in order to gain back the DMA memory in order to initiate new tunnels.
Sincerely,
David.
10-10-2012 06:49 AM
Hello Mike,
This is possibly a software/hardware issue as this cisco doc ( Search for CTM).. though they are providing a resolution..
http://www.cisco.com/en/US/docs/security/asa/asa81/command/ref/s2.html
may be time to a take a reload and try for a luck
regards
Harish.
10-10-2012 06:52 AM
Thanks for that. It does look like its out of crypto memory...
DMA memory:
Unused memory: 23849516 bytes (30%)
Crypto reserved memory: 20537556 bytes (26%)
Crypto free: 0 bytes ( 0%)
Crypto used: 20537556 bytes (26%)
Block reserved memory: 34669024 bytes (44%)
Block free: 30734752 bytes (39%)
Block used: 3934272 bytes ( 5%)
Used memory: 185120 bytes ( 0%)
Unless there is a way to specifically restart only the crypto engine or clear crypto memory then I guess I am looking at a reload?
Mike
10-10-2012 06:54 AM
I think I may also have found a bug ID which could be relevant
CSCsm93115
10-10-2012 06:58 AM
Hi Mike,
Yes, you are out of crypto memory. There could be a few reasons ;-) The bug you cite is one of them.
Unfortunately, at this point you have to reload to get the memory back. You can't reload just the crypto sub-system.
Sincerely,
David.
Discover and save your favorite ideas. Come back to expert answers, step-by-step guides, recent topics, and more.
New here? Get started with these tips. How to use Community New member guide