02-21-2011 04:59 PM - edited 03-11-2019 12:53 PM
Hi everybody,
I have a pair in active-standby configuration.
During the last two weeks whenever I try to save conf on ASDM after adding a new rule on the active ASA5510, i get 'memory full' error, however it actually saves the rule.
I checked memory (sh memory) and I got this:
ASA5510# sh memory
Free memory: 25151400 bytes ( 9%)
Used memory: 243284056 bytes (91%)
------------- ----------------
Total memory: 268435456 bytes (100%)
THEN
ASA5510# show memory detail
Free memory: 25160328 bytes ( 9%)
Used memory: 243275128 bytes (91%)
Allocated memory in use: 130028792 bytes (48%)
Reserved memory: 62021760 bytes (23%)
DMA Reserved memory: 51224576 bytes (19%)
----------------------------- ----------------
Total memory: 268435456 bytes (100%)
Dynamic Shared Objects(DSO): 0 bytes
DMA memory:
Unused memory: 13124660 bytes (26%)
Crypto reserved memory: 8216700 bytes (16%)
Crypto free: 7036928 bytes (14%)
Crypto used: 1179772 bytes ( 2%)
Block reserved memory: 29632320 bytes (58%)
Block free: 25942816 bytes (51%)
Block used: 3689504 bytes ( 7%)
Used memory: 250896 bytes ( 0%)
----------------------------- ----------------
Total memory: 51224576 bytes (100%)
HEAP memory:
Free memory: 25160328 bytes (16%)
Used memory: 130028792 bytes (84%)
Init used memory by library: 4218752 bytes ( 3%)
Allocated memory: 125810040 bytes (81%)
----------------------------- ----------------
Total memory: 155189120 bytes (100%)
Least free memory: 4200163360 bytes (2706%)
Most used memory: 249993056 bytes (161%)
----- fragmented memory statistics -----
fragment size count total
(bytes) (bytes)
---------------- ---------- --------------
0 1 0**
16 583 9328
24 549 13176
32 528 16896
40 458 18320
48 475 22800
56 11 616
64 12 768
88 1 88
96 3 288
104 1 104
112 1 112
120 4 480
128 2 256
136 2 272
144 1 144
176 2 352
224 2 448
240 1 240
256 1 256
288 1 288
296 1 296
328 1 328
344 1 344
360 1 360
392 1 392
432 1 432
456 1 456
488 2 976
520 2 1040
592 1 592
656 1 656
1120 1 1120
1160 1 1160
1320 3 3960
1480 1 1480
1640 1 1640
1696 1 1696
1848 1 1848
2560 5 14120
3128 2 6600
4136 2 8416
4760 2 9712
6480 1 6480
7392 1 7392*
8384 1 8384
9016 1 9016
10256 38 400224
10760 158 1831400
12296 216 3044200
16416 179 3300920
20480 203 4613112
24576 208 5554472
28680 194 5969176
32776 5 164112
45768 2 108544
* - top most releasable chunk.
** - contiguous memory on top of heap.
----- allocated memory statistics -----
fragment size count total
(bytes) (bytes)
---------------- ---------- --------------
40 1 40
48 1384 66432
56 5558 311248
64 4489 287296
72 11135 801720
80 3559 284720
88 334 29392
96 1909 183264
104 564 58656
112 193 21616
120 253 30360
128 4045 517760
136 582 79152
144 199 28656
152 782 118864
160 630 100800
168 218 36624
176 105 18480
184 535 98440
192 20 3840
200 83 16600
208 841 174928
216 262 56592
224 436 97664
232 3942 914544
240 116 27840
248 205 50840
256 412 105472
264 18 4752
272 6 1632
280 7 1960
288 677 194976
296 8 2368
304 28 8512
312 119 37128
320 13 4160
328 2 656
336 20 6720
344 2 688
352 7 2464
368 5 1840
376 101 37976
384 59 22656
392 158 61936
408 7 2856
416 2 832
424 84 35616
432 5 2160
440 3 1320
464 4 1856
472 1 472
488 1 488
512 72 36864
576 1338 770688
640 13 8320
704 12 8448
768 7 5376
832 7 5824
896 4 3584
960 6 5760
1024 47 48128
1088 6 6528
1152 12 13824
1216 12 14592
1280 102 130560
1344 207 278208
1408 232 326656
1472 5 7360
1536 3 4608
1600 1 1600
1664 2 3328
1792 31 55552
1856 2 3712
1920 3 5760
1984 1 1984
2048 254 520192
2112 85 179520
2176 10 21760
2304 1 2304
2368 2 4736
2432 1 2432
2560 28 71680
3072 10 30720
3584 5 17920
4096 37 151552
4608 5 23040
5120 2 10240
5632 4 22528
6144 130 798720
7168 2 14336
7680 4 30720
8192 111 909312
8704 2 17408
9728 3 29184
10240 1 10240
10752 4 43008
14848 16 237568
18944 95 1799680
23040 5 115200
27136 8 217088
31232 1216 37978112
35328 52 1837056
39424 10 394240
43520 52 2263040
76288 109 8315392
109056 2 218112
141824 41 5814784
174592 8 1396736
436736 7 3057152
698880 19 13278720
02-21-2011 05:28 PM
Hi,
Well, your memory is a bit high, Would you be able to get me the show tech of the device on a private message? This things we need to see things like interface errors, memory blocks, show process etc....
If you disable threat detection (which I really recommend) you would need to reload the firewall.
Mike
02-21-2011 05:49 PM
thanks for your reply.
Why would you disable threat detection?
02-21-2011 05:56 PM
Hi
Excellent Question. The problem with threat dectection is that it is like a balloon, it just keep gathering information about connection and it keeps a record of every connection made to every single host on your network. Thats why when you go into your ASDM and go to firewall dashboard you are able to see graphics with top services, top hosts etc... that is information gathered by threat detection.
This is meant to be on only when you sense that there is an attack on your network and only for troubleshooting. On the threat detection documentation it states that it can have over 25% when it is turned on... and it can keep increasing.
"...The scanning threat detection feature can affect the security appliance performance and memory significantly while it creates and gathers host- and subnet-based data structure and information..."
You can read more information and device impact on the configuration guide for threat detection....
http://www.cisco.com/en/US/docs/security/asa/asa80/configuration/guide/protect.html#wp1072953
In case you have any doubts, please let me know.
Mike
Discover and save your favorite ideas. Come back to expert answers, step-by-step guides, recent topics, and more.
New here? Get started with these tips. How to use Community New member guide