cancel
Showing results for 
Search instead for 
Did you mean: 
cancel
1798
Views
0
Helpful
5
Replies

Urgent: Crypto memory runs full on ASA 8.0(2)

Hi,

I currently in the process of setting up a new ASA 5510 firewall with ver. 8.0(2) for our company.

I cannot yet implement the box because of an annoying error. After a few hours of uptime, I am suddenly unable to log into ASDM or SSH.

I've narrowed the problem into some sort of memory problem.

When the problem arises, I've gone through the console to check the logs and debug messages.

The log stated some cryptic thing like: "SSL_new malloc failure"

And the debug of SSH and Crypto stated something like: "Unable to address xxxx amount of memory for ssl certificate"

After I read these messages, I looked into the memory consumption. (I should probably mention that this whole problem is solved by a reboot), and when issuing the command: "show memory detail" I can see that the available memory for the crypto engine has a free percentage of 13%.

Now, slowly this percentage is dropping! Every now and then I issue the command, and the free percentage has dropped a few percents. When it hits zero, I get the mentioned problem, where I am unable to log into ASDM and SSH.

So... Is there anyone outthere who's got a clue? It would be okay even with some sort of workaround, where I could clear the memory without having to reboot the whole box. I haven't been able to find such command myself, though.

Hope someone can help me out. I was supposed to install the firewall at midnight today, but if this problem is not solved (or a workaround found), I will be forced to delay this operation :(

Thanks in advance,

Rasmus

5 Replies 5

gmarogi
Level 5
Level 5

I think you need to check the memory allocation after you reboot the device, the command "show mem detail" can show you the memory allocation states in detail. You can also try to pin point the process that is consuming the memory.

martindickinson
Level 1
Level 1

Hi Rasmus,

Did you ever get a fix for this problem please?

Kind Regards.

Two years later, and I've come across the same problem on an ASA 5505 running 8.2(2).

It only manifested itself after entering a new activation key (which may have altered memory allocation in order to accommodate the additional authorized features).

No other configuration changes were made, and suddenly SSL sessions are failing (both ASDM and browser sessions to https://[addr]/admin).

In addition to some SSL_new malloc failure messages "show ssl errors" reveals:

error:14076FA2:SSL routines:SSL23_GET_CLIENT_HELLO:reason(4002)@s23_srvr.c:276

error:1409C041:SSL routines:SSL3_SETUP_BUFFERS:malloc failure@s3_both.c:796

Hi Ben,

Take a look at bug # CSCtb58989 (http://tools.cisco.com/Support/BugToolKit/action.do?hdnAction=searchBugs) and see if the conditions match your environment. It looks like you might be hitting that bug.

The workaround is listed in the bug details and the issue is fixed in 8.2.2.1, so you could try loading the latest 8.2.2 interim build on CCO.

Hope that helps.

-Mike

Yes, that turned out to be the problem. Shortly after I posted here, TAC got back to me on my case with exactly the same answer.

Thanks.

Getting Started

Find answers to your questions by entering keywords or phrases in the Search bar above. New here? Use these resources to familiarize yourself with the community: