Buy or Renew
Buy or Renew
Duo Security forums now LIVE! Get answers to all your Duo Security questions. Learn more
cancel
Turn on suggestions
Auto-suggest helps you quickly narrow down your search results by suggesting possible matches as you type.
Showing results for 
Search instead for 
Did you mean: 
cancel
Start a conversation
812
Views
0
Helpful
2
Replies

ASA 5506-X Webvpn enabled with more than one Anyconnect.pkg file installed - memory issues?

andrew.butterworth
Level 7
Level 7

‎12-19-2019 01:25 AM - edited ‎02-21-2020 09:49 PM

I have a 5506-X running 9.9(2)61 and ASDM 7.13(1).  I have had to stay on 9.9 due to it having the FirePOWER services module running.  It is configured for Webvpn and has the headend Anyconnect packages installed.  I recently updated them to the latest 4.8.01090 packages.  If more than one package is installed then I get memory errors and I can't ssh, telnet or open ASDM.

asa5506/actNoFailover/pri(config-webvpn)# anyconnect enable process_create: out of stack memory
_listen_ssh: failed to create thread for interface 6 port 22
process_create: out of stack memory
_listen_ssh: failed to create thread for interface 6 port 22
asa5506/actNoFailover/pri(config-webvpn)#
asa5506/actNoFailover/pri(config-webvpn)#
asa5506/actNoFailover/pri# process_create: out of stack memory
_listen_ssh: failed to create thread for interface 6 port 22
process_create: out of stack memory
Unable to create Unicorn Admin Handler
process_create: out of stack memory
_listen_telnet: failed to create thread for interface 6 port 23

If the configuration is saved and the ASA rebooted it crashes as it loads the configuration and then bootloops.

If Anyconnect is enabled or disabled its the same behaviour.  It is only when there is a single Anyconnect .pkg file configured that it works.

 

Labels:
0 Helpful
2 Replies 2

Karsten Iwen
VIP
VIP

‎12-19-2019 04:08 AM

This is at least not how it should behave. Typically you have two or three images loaded (Win, macOS, Linux) and while upgrading often four to six and everything works. And that works for a couple of my 5506 from customers (with 9.8, 9.9 and 9.10).

Your ASA-prompt indicates that there is something wrong with your failover. I would fix that first and then look further. I nothing helps, factory-reset the box and configure it completely new to see if the failure lasts. If everything does not help open a TAC case.

0 Helpful

andrew.butterworth
Level 7
Level 7
In response to Karsten Iwen

‎12-19-2019 04:25 AM - edited ‎12-19-2019 04:26 AM

There is no failover configured, this is a standalone ASA5506-X.  As part of a standard ASA build the line:

prompt hostname context state priority

is added that includes the failover status in the prompt.  You should just ignore that as its irrelevant.

I would normally have three images loaded - Windows, MacOS and Linux X64.  Currently I just have one image loaded and it works fine, however two or more then I get these memory issues.  Luckily I have a console connection via an old 2516 router acting as a reverse telnet server so I can get on the console.

This is the current configuration:

webvpn
 enable outside
 no anyconnect-essentials
 hostscan image disk0:/hostscan_4.8.02024-k9.pkg
 hostscan enable
 anyconnect image disk0:/anyconnect-win-4.8.01090-webdeploy-k9.pkg 1
 anyconnect enable
 cache
  disable
 error-recovery disable

The other Anyconnect images are in flash, however if I add them to the webvpn configuration I get these memory issues.

 anyconnect image disk0:/anyconnect-linux64-4.8.01090-webdeploy-k9.pkg 2 
 anyconnect image disk0:/anyconnect-macos-4.8.01090-webdeploy-k9.pkg 3

 

0 Helpful
Customers Also Viewed These Support Documents