02-14-2012 01:34 PM - edited 03-11-2019 03:29 PM
Hi Experts ,
We are experiencing high memory utilization in PIX 515E firewall . It has 128MB DRAM and the average utilization stays mostly at 99% which is quite a concern now . Remote Access VPN Users are unable to connect with the following error when tried connecting
"Secure VPN Connection terminated by Peer . Reason 433 (Reason Not Specified by Peer ) "
Can it be because of the high memory utilization ?
Also note that we have Failover mechnism enabled with Primary/Secondary , Active /Standby configuration. Due to the high memory utilization we are also unable to write the configuration to memory as well . The following error shows up
------------------------------------------------
C17440-BJ08-PIX2# write memory
Building configuration...
No memory available
Error executing command
[FAILED]
-------------------------------------------------
The #show memory statistics are as given below
-------------------------------------------------
C17440-BJ08-PIX2# sh memory
Free memory: 1819856 bytes ( 1%)
Used memory: 132397872 bytes (99%)
------------- ----------------
Total memory: 134217728 bytes (100%)
C17440-BJ08-PIX2#
---------------------------------------------------
The # sh version details are as given below
---------------------------------------------------
C17440-BJ08-PIX2# sh ver
Cisco PIX Security Appliance Software Version 7.2(4)
Device Manager Version 5.2(4)
Compiled on Sun 06-Apr-08 13:39 by builders
System image file is "flash:/image.bin"
Config file at boot was "startup-config"
C17440-BJ08-PIX2 up 1 hour 39 mins
failover cluster up 1 year 49 days
Hardware: PIX-515E, 128 MB RAM, CPU Pentium II 433 MHz
Flash E28F128J3 @ 0xfff00000, 16MB
BIOS Flash AM29F400B @ 0xfffd8000, 32KB
0: Ext: Ethernet0 : address is 001d.a215.5878, irq 10
1: Ext: Ethernet1 : address is 001d.a215.5879, irq 11
Licensed features for this platform:
Maximum Physical Interfaces : 6
Maximum VLANs : 25
Inside Hosts : Unlimited
Failover : Active/Active
VPN-DES : Enabled
VPN-3DES-AES : Enabled
Cut-through Proxy : Enabled
Guards : Enabled
URL Filtering : Enabled
Security Contexts : 2
GTP/GPRS : Disabled
VPN Peers : Unlimited
This platform has an Unrestricted (UR) license.
Serial Number: 907380160
Running Activation Key: 0xf72c7fe2 0x81fb96d9 0x70dab81b 0x67d49718
Configuration last modified by enable_1 at 12:26:39.880 UTC Tue Feb 14 2012
----------------------------------------------------------------
Is it normal for the PIX to have such high memory utilization ? How I can I probably reduce the memory utilization ?How can I upgrade the memory if I need to ? What kind of a memory should I be using for upgrade ?
Please suggest
Many Thanks ,
Anup
02-14-2012 06:58 PM
99% is definitely issue. Based on the below link, it appears 128MB is max for the failover pair. Did you check the translations (show xlate)? Try to clear the translations if this seems to be the issue. Also, try reboot and if the issue still exists, you may be hitting a bug. Try to contact TAC. Iam not sure if the support is still available for PIX, but give a try.
hth
MS
02-21-2012 12:31 AM
Hi MS ,
A valid Service Contract for the device is required to contact TAC , right ?
Thanks ,
Anup
02-15-2012 09:59 PM
-perform the following:
show blocks
Look for any blocks that have a low count at or near 0. The 1550 block being exhausted is indicative of your interfaces being overrun. You will likely see large 'no buffer' counters when you perform a 'show interfaces' command. If other blows show low counts near 0, you can likely pinpoint your issue from there by checking the command reference for explanations of the other blocks
-Is your NAT 0 configuration large? Poorly appied NAT 0 configurations can cause a huge amount of entries in the NAT table which can consume memory.
-Similarly, very large crypto configurations with large crypto access-list configurations can cause the security association database and the security policy database to grow very large which can also consume memory
What's your config like?
02-21-2012 12:35 AM
Hi Patrick ,
Can a large running congiguration with lots of IP based blocking be the cause of a memory utilization issue ?
We have provided access to external servers by adding those into an object group and then mentioning the group into an access list . Would reconfguring them based on a network or a subnet help in reducing the memory utilization . Is it someway related ?
Thanks ,
Anup
02-22-2012 01:04 PM
Hi all ,
The issue is been successfully resolved now . The configuration had a huge number of network objects which was public IP based . It was all summarized to networks and the new network objects were created with summarized networks . The IP based network objects were removed from the onfiguration as well. As soon as the objects were removed the memory utilization went down and it is now at a less critical 78% .
Thanks ,
Anup
Discover and save your favorite ideas. Come back to expert answers, step-by-step guides, recent topics, and more.
New here? Get started with these tips. How to use Community New member guide