Re: Failover pair of ASA5510

Infrastructure Group · ‎02-21-2011

Hi everybody,

I have a pair in active-standby configuration.

During the last two weeks whenever I try to save conf on ASDM after adding a new rule on the active ASA5510, i get 'memory full' error, however it actually saves the rule.

I checked memory (sh memory) and I got this:

ASA5510# sh memory

Free memory: 25151400 bytes ( 9%)

Used memory: 243284056 bytes (91%)

------------- ----------------

Total memory: 268435456 bytes (100%)

THEN

ASA5510# show memory detail

Free memory: 25160328 bytes ( 9%)

Used memory: 243275128 bytes (91%)

Allocated memory in use: 130028792 bytes (48%)

Reserved memory: 62021760 bytes (23%)

DMA Reserved memory: 51224576 bytes (19%)

----------------------------- ----------------

Total memory: 268435456 bytes (100%)

Dynamic Shared Objects(DSO): 0 bytes

DMA memory:

Unused memory: 13124660 bytes (26%)

Crypto reserved memory: 8216700 bytes (16%)

Crypto free: 7036928 bytes (14%)

Crypto used: 1179772 bytes ( 2%)

Block reserved memory: 29632320 bytes (58%)

Block free: 25942816 bytes (51%)

Block used: 3689504 bytes ( 7%)

Used memory: 250896 bytes ( 0%)

----------------------------- ----------------

Total memory: 51224576 bytes (100%)

HEAP memory:

Free memory: 25160328 bytes (16%)

Used memory: 130028792 bytes (84%)

Init used memory by library: 4218752 bytes ( 3%)

Allocated memory: 125810040 bytes (81%)

----------------------------- ----------------

Total memory: 155189120 bytes (100%)

Least free memory: 4200163360 bytes (2706%)

Most used memory: 249993056 bytes (161%)

----- fragmented memory statistics -----

fragment size count total

(bytes) (bytes)

---------------- ---------- --------------

0 1 0**

16 583 9328

24 549 13176

32 528 16896

40 458 18320

48 475 22800

56 11 616

64 12 768

88 1 88

96 3 288

104 1 104

112 1 112

120 4 480

128 2 256

136 2 272

144 1 144

176 2 352

224 2 448

240 1 240

256 1 256

288 1 288

296 1 296

328 1 328

344 1 344

360 1 360

392 1 392

432 1 432

456 1 456

488 2 976

520 2 1040

592 1 592

656 1 656

1120 1 1120

1160 1 1160

1320 3 3960

1480 1 1480

1640 1 1640

1696 1 1696

1848 1 1848

2560 5 14120

3128 2 6600

4136 2 8416

4760 2 9712

6480 1 6480

7392 1 7392*

8384 1 8384

9016 1 9016

10256 38 400224

10760 158 1831400

12296 216 3044200

16416 179 3300920

20480 203 4613112

24576 208 5554472

28680 194 5969176

32776 5 164112

45768 2 108544

* - top most releasable chunk.

** - contiguous memory on top of heap.

----- allocated memory statistics -----

fragment size count total

(bytes) (bytes)

---------------- ---------- --------------

40 1 40

48 1384 66432

56 5558 311248

64 4489 287296

72 11135 801720

80 3559 284720

88 334 29392

96 1909 183264

104 564 58656

112 193 21616

120 253 30360

128 4045 517760

136 582 79152

144 199 28656

152 782 118864

160 630 100800

168 218 36624

176 105 18480

184 535 98440

192 20 3840

200 83 16600

208 841 174928

216 262 56592

224 436 97664

232 3942 914544

240 116 27840

248 205 50840

256 412 105472

264 18 4752

272 6 1632

280 7 1960

288 677 194976

296 8 2368

304 28 8512

312 119 37128

320 13 4160

328 2 656

336 20 6720

344 2 688

352 7 2464

368 5 1840

376 101 37976

384 59 22656

392 158 61936

408 7 2856

416 2 832

424 84 35616

432 5 2160

440 3 1320

464 4 1856

472 1 472

488 1 488

512 72 36864

576 1338 770688

640 13 8320

704 12 8448

768 7 5376

832 7 5824

896 4 3584

960 6 5760

1024 47 48128

1088 6 6528

1152 12 13824

1216 12 14592

1280 102 130560

1344 207 278208

1408 232 326656

1472 5 7360

1536 3 4608

1600 1 1600

1664 2 3328

1792 31 55552

1856 2 3712

1920 3 5760

1984 1 1984

2048 254 520192

2112 85 179520

2176 10 21760

2304 1 2304

2368 2 4736

2432 1 2432

2560 28 71680

3072 10 30720

3584 5 17920

4096 37 151552

4608 5 23040

5120 2 10240

5632 4 22528

6144 130 798720

7168 2 14336

7680 4 30720

8192 111 909312

8704 2 17408

9728 3 29184

10240 1 10240

10752 4 43008

14848 16 237568

18944 95 1799680

23040 5 115200

27136 8 217088

31232 1216 37978112

35328 52 1837056

39424 10 394240

43520 52 2263040

76288 109 8315392

109056 2 218112

141824 41 5814784

174592 8 1396736

436736 7 3057152

698880 19 13278720

I read somewhere that:

clear conf threat-detection

can help fixing that.

ASA5510sh running-config threat-detection

threat-detection basic-threat

threat-detection statistics

threat-detection statistics tcp-intercept rate-interval 30 burst-rate 400 average-rate 200

i have nearly 450 rules on outbound interface and 220 on the inside one. no remote access VPNs, no webVPNs, no site to site VPNs.

Thanks.

Maykol Rojas · ‎02-21-2011

Hi,

Well, your memory is a bit high, Would you be able to get me the show tech of the device on a private message? This things we need to see things like interface errors, memory blocks, show process etc....

If you disable threat detection (which I really recommend) you would need to reload the firewall.

Mike

Infrastructure Group · ‎02-21-2011

thanks for your reply.

Why would you disable threat detection?

Maykol Rojas · ‎02-21-2011

Hi

Excellent Question. The problem with threat dectection is that it is like a balloon, it just keep gathering information about connection and it keeps a record of every connection made to every single host on your network. Thats why when you go into your ASDM and go to firewall dashboard you are able to see graphics with top services, top hosts etc... that is information gathered by threat detection.

This is meant to be on only when you sense that there is an attack on your network and only for troubleshooting. On the threat detection documentation it states that it can have over 25% when it is turned on... and it can keep increasing.

"...The scanning threat detection feature can affect the security appliance performance and memory significantly while it creates and gathers host- and subnet-based data structure and information..."

You can read more information and device impact on the configuration guide for threat detection....

http://www.cisco.com/en/US/docs/security/asa/asa80/configuration/guide/protect.html#wp1072953

In case you have any doubts, please let me know.

Mike