cancel
Showing results for 
Search instead for 
Did you mean: 
cancel
2204
Views
0
Helpful
5
Replies

crypto errors CTM ERROR: Failed to allocate x bytes of memory

mikedelafield
Level 1
Level 1

Hi There.

I am currently getting a strange error when trying to use and crypto services on our ASA 5520 (8.0.3)

Initially I observed that a connected VPN had dropped.

Then when I attempted to use ASDM or SSH I was blocked.

In the end I opened telnet as a test and this was successful. Syslog also shows that traffic is passing as normal.

The only obvious error I can see when observing various debug traces is this;

FW02# CTM: rsa session with no priority allocated @ 0xCF1FBBA0

CTM: Session 0xCF1FBBA0 uses a nlite (Nitrox Lite) as its hardware engine

CTM: rsa context allocated for session 0xCF1FBBA0

CTM: rsa session with no priority allocated @ 0xCE7A5EA8

CTM: Session 0xCE7A5EA8 uses a nlite (Nitrox Lite) as its hardware engine

CTM: rsa context allocated for session 0xCE7A5EA8

CTM: rsa session with no priority allocated @ 0xCEF249D0

CTM: Session 0xCEF249D0 uses a nlite (Nitrox Lite) as its hardware engine

CTM: rsa context allocated for session 0xCEF249D0

CTM: dh session with no priority allocated @ 0xCEF249D0

CTM: Session 0xCEF249D0 uses a nlite (Nitrox Lite) as its hardware engine

CTM: dh context allocated for session 0xCEF249D0

CTM ERROR: Failed to allocate 279 bytes of memory, ctm_nlite_generate_dh_key_pair:183

Has anyone seen anything like this before as I am lost?

Mike

1 Accepted Solution

Accepted Solutions

Hi Mike,

Yes, you are out of crypto memory.  There could be a few reasons ;-)  The bug you cite is one of them.

Unfortunately, at this point you have to reload to get the memory back.  You can't reload just the crypto sub-system.

Sincerely,


David.

View solution in original post

5 Replies 5

David White
Cisco Employee
Cisco Employee

Sounds like the ASA is out of DMA memory (show memory detail - should indicate this).  There could be a number of reasons why... Your logging config, snmp config, etc.... or a bug.  However it may take some troubelshooting to determine what is causing it.

For now, capture a 'show tech' and "show memory detail".  At this point, you will most likely need to reload the ASA in order to gain back the DMA memory in order to initiate new tunnels.

Sincerely,


David.

Hello Mike,

This is possibly a software/hardware issue as this cisco doc  ( Search for CTM).. though they are providing a resolution..

http://www.cisco.com/en/US/docs/security/asa/asa81/command/ref/s2.html

may be time to a take a reload and try for a luck

regards

Harish.

Thanks for that. It does look like its out of crypto memory...

DMA memory:

   Unused memory:                 23849516 bytes (30%)

   Crypto reserved memory:        20537556 bytes (26%)

     Crypto free:                       0 bytes ( 0%)

     Crypto used:                20537556 bytes (26%)

   Block reserved memory:         34669024 bytes (44%)

     Block free:                 30734752 bytes (39%)

     Block used:                  3934272 bytes ( 5%)

   Used memory:                     185120 bytes ( 0%)

Unless there is a way to specifically restart only the crypto engine or clear crypto memory then I guess I am looking at a reload?

Mike

I think I may also have found a bug ID which could be relevant

CSCsm93115

Hi Mike,

Yes, you are out of crypto memory.  There could be a few reasons ;-)  The bug you cite is one of them.

Unfortunately, at this point you have to reload to get the memory back.  You can't reload just the crypto sub-system.

Sincerely,


David.

Review Cisco Networking for a $25 gift card