Core issue

This issue is related to a memory leak in PIX/ASA version 7.2(1).

During this issue, the block memory depletes. This is a transient message and the firewall should recover. (Primary) can also be listed as (Secondary) for the secondary unit.

Resolution

In order to isolate this issue, use the show blocks command.

The show blocks command helps to determine if the security appliance is overloaded. This command lists the pre-allocated system buffer utilization. A full memory condition is not a problem as long as traffic moves through the security appliance. Issue the show conn command in order to see if the traffic moves. If the traffic does not move and the memory is full, there can be a problem.

This information can also be viewed through the Simple Network Management Protocol (SNMP).

The information shown in a security context includes the system-wide information as well as context-specific information about the blocks in use and the high water mark for block usage.

Examples

This is a sample output from the show blocks command in single mode:

    hostname#show blocks

   SIZE      MAX      LOW    CNT

    4          1600      1598     1599

    80        400        398       399

   256       3600      3540     3542

   1550     4716      3177     3184

   16384   10         10         10

   2048     1000     1000     1000

In order to resolve this issue, download and upgrade PIX/ASA to software version 7.2.2 (18) or later from Cisco Downloads.  If issue still exists contact Cisco Technical Support.