05-01-2018 01:32 PM - edited 03-05-2019 10:22 AM
I'm trying to figure out why my Cisco ASA seems to be dropping packets. This is giving me a poor network connection with lots of timeouts. I cleared the asp table to analyze recent traffic drops:
# show asp drop
Frame drop:
NAT-T keepalive message (natt-keepalive) 29
IPSEC tunnel is down (ipsec-tun-down) 1
Flow is denied by configured rule (acl-drop) 47
Flow denied due to resource limitation (unable-to-create-flow) 2479
First TCP packet not SYN (tcp-not-syn) 15
Slowpath security checks failed (sp-security-failed) 2
Dropped pending packets in a closed socket (np-socket-closed) 1
Obviously the "Flow denied due to resource limitation (unable-to-create-flow)" reason is the highest.
The command reference page here: https://www.cisco.com/c/en/us/td/docs/security/asa/asa-command-reference/show_asp_drop/show_asp_drop.html
provides the following information:
Name: unable-to-create-flow
Flow denied due to resource limitation:
This counter is incremented and the packet is dropped when flow creation fails due to a system resource limitation. The resource limit may be either:
1) system memory
2) packet block extension memory
3) system connection limit
Causes 1 and 2 will occur simultaneously with flow drop reason "No memory to complete flow".
Recommendation:
- Observe if free system memory is low.
- Observe if flow drop reason "No memory to complete flow" occurs.
- Observe if connection count reaches the system connection limit with the command "show resource usage".
Syslogs:
None
However, I see no flow drops or "No memory to complete flow" in the output.
I also checked "show resource usage" and am nowhere near the limit for connection count:
Resource Current Peak Limit Denied Context
Conns 5 976 10000 0 System
However, when I checked the memory usage, it appears to be at a steady 90%
# show memory
Free memory: 23174384 bytes ( 9%)
Used memory: 245261072 bytes (91%)
------------- ------------------
Total memory: 268435456 bytes (100%)
# show memory detail
Free memory: 23249728 bytes ( 9%)
Used memory:
Allocated memory in use: 69024960 bytes (26%)
Reserved memory: 176160768 bytes (66%)
So it appears that the issue may stem from memory overuse. Does anyone have any suggestions for how to resolve this issue? Looking on other similar forum posts, it seems like the issue was resolved by updating the IOS. However, I updated to the latest version of the firmware in January due to the RCE vulnerability in the VPN service on these devices. Any advice is appreciated.
Solved! Go to Solution.
05-04-2018 01:22 PM
According to a couple other posts, any software version beyond 8.3 requires 512GB of memory, so I've decided to just go ahead and spend the $20 on some new memory. https://supportforums.cisco.com/t5/firewalling/tips-for-freeing-up-memory-on-asa-5505/td-p/2004058
05-04-2018 01:22 PM
According to a couple other posts, any software version beyond 8.3 requires 512GB of memory, so I've decided to just go ahead and spend the $20 on some new memory. https://supportforums.cisco.com/t5/firewalling/tips-for-freeing-up-memory-on-asa-5505/td-p/2004058
05-05-2018 03:45 PM
Discover and save your favorite ideas. Come back to expert answers, step-by-step guides, recent topics, and more.
New here? Get started with these tips. How to use Community New member guide