show memory dead - many SSH proc

mmedwid · ‎12-26-2013

After being up less than three days - "show memory dead" displays 4,100 instances of

entries like:

4B021528 0000000156 4B0211A0 4B0215F4 001 -------- -------- 43BA7684 SSH Process

The device is a 2811 ISR running 12.4(24)T3. I have been troubleshooting a problem

where by outbound dialing starts to fail intermittently and a router reboot solves the

issue. Any idea what could be triggering all these SSH proc dead memory entries?

Might they be related to some of the inconsistent VOIP (SIP trunk) behavior?

John Blakley · ‎12-26-2013

Do you have an acl on the interface that could block ssh? It seems to me there are a bunch of half open connections that the router is trying to keep open. If you aren't blocking ssh, maybe you should...

HTH,
John

*** Please rate all useful posts ***

HTH, John *** Please rate all useful posts ***

mmedwid · ‎12-26-2013

To secure access I am using Zone firewall and an ACL on vty 0 4. For the latter note:

line vty 0 4

access-class 23 in

privilege level 15

login local

transport input ssh

sfo-c2811-1#sho access-list 23

Standard IP access list 23

10 permit 5.4.53.78

20 permit 5.7.54.32, wildcard bits 0.0.0.31

30 permit 192.168.0.0, wildcard bits 0.0.255.255

40 permit 10.0.0.0, wildcard bits 0.255.255.255 (32 matches)

50 permit 10.10.10.0, wildcard bits 0.0.0.255

60 deny any log

The zone firewall is very simple - permit everything out. Deny everything in except SIP and ping.

Looking at syslog I don't see any denies for SSH - just some denied snmp. Drop is the default

class for the policy.

zone-pair security sdm-zp-out-self source out-zone destination self

 service-policy type inspect sdm-permit

It's conceivable something inside is banging against it. Perhaps I should put on a permit all ACL to see if something inside is going rogue with SSH attempts to it. Thank you for the thoughts.