Urgent: Crypto memory runs full on ASA 8.0(2)

Unanswered Question
Jul 26th, 2007
User Badges:

Hi,


I currently in the process of setting up a new ASA 5510 firewall with ver. 8.0(2) for our company.


I cannot yet implement the box because of an annoying error. After a few hours of uptime, I am suddenly unable to log into ASDM or SSH.


I've narrowed the problem into some sort of memory problem.

When the problem arises, I've gone through the console to check the logs and debug messages.


The log stated some cryptic thing like: "SSL_new malloc failure"


And the debug of SSH and Crypto stated something like: "Unable to address xxxx amount of memory for ssl certificate"


After I read these messages, I looked into the memory consumption. (I should probably mention that this whole problem is solved by a reboot), and when issuing the command: "show memory detail" I can see that the available memory for the crypto engine has a free percentage of 13%.


Now, slowly this percentage is dropping! Every now and then I issue the command, and the free percentage has dropped a few percents. When it hits zero, I get the mentioned problem, where I am unable to log into ASDM and SSH.


So... Is there anyone outthere who's got a clue? It would be okay even with some sort of workaround, where I could clear the memory without having to reboot the whole box. I haven't been able to find such command myself, though.


Hope someone can help me out. I was supposed to install the firewall at midnight today, but if this problem is not solved (or a workaround found), I will be forced to delay this operation :(


Thanks in advance,

Rasmus

  • 1
  • 2
  • 3
  • 4
  • 5
Overall Rating: 0 (0 ratings)
Loading.
gmarogi Wed, 08/01/2007 - 10:07
User Badges:
  • Bronze, 100 points or more

I think you need to check the memory allocation after you reboot the device, the command "show mem detail" can show you the memory allocation states in detail. You can also try to pin point the process that is consuming the memory.

martindickinson Mon, 06/22/2009 - 04:44
User Badges:

Hi Rasmus,


Did you ever get a fix for this problem please?


Kind Regards.

Two years later, and I've come across the same problem on an ASA 5505 running 8.2(2).

It only manifested itself after entering a new activation key (which may have altered memory allocation in order to accommodate the additional authorized features).

No other configuration changes were made, and suddenly SSL sessions are failing (both ASDM and browser sessions to https://[addr]/admin).


In addition to some SSL_new malloc failure messages "show ssl errors" reveals:



error:14076FA2:SSL routines:SSL23_GET_CLIENT_HELLO:reason(4002)@s23_srvr.c:276

error:1409C041:SSL routines:SSL3_SETUP_BUFFERS:malloc [email protected]_both.c:796




mirober2 Tue, 07/20/2010 - 09:56
User Badges:
  • Cisco Employee,

Hi Ben,


Take a look at bug # CSCtb58989 (http://tools.cisco.com/Support/BugToolKit/action.do?hdnAction=searchBugs) and see if the conditions match your environment. It looks like you might be hitting that bug.


The workaround is listed in the bug details and the issue is fixed in 8.2.2.1, so you could try loading the latest 8.2.2 interim build on CCO.


Hope that helps.


-Mike

Actions

This Discussion