Advice sought on freeing up memory on a PIX525 with 7.2(2)

plwalsh · ‎08-30-2007

Hi,

If I need to reduce memory usage in a PIX525 running 7.2(2) what would be the first services to sacrifice? The default HTTP service inspection seems to offer very little but as most of our traffic is HTTP it is probably consuming some cpu/RAM.

I have three interfaces that each have an ACL of 1000+ elements. Do these consume a lot of RAM?

When I ran 7.1.2 the memory usage was 50% usually. Now it seems to be 70%. That said I have enabled multicast on the PIX - but the traffic volumes are very low.

Thanks.

purohit_810 · ‎08-30-2007

See that is why people are prefers Router / Switch for multicast.

You tells that PIX has too many ACL + Multicast and routeing must be there.

Natuarally CPU goes higher.

Suggesting you to put one perimeter switch and do multicasting from there.. One hop will be increase but better throughput you will get.

Now, If you would keep as it is.. few suggestion are here:

1) put MROUTE COMMAND for out going interface and remove unnecessary outside routes.

2) For access list watch carefully and if you can use WILDCARD Mask instead of indivisual ACL... that will help you to minimize entry of ACL. Less ACL less CPU/MEMORY utilization.

3)See hello timer default? by show pim traffic

You can maximize hello timer.

4) show igmp traffic , show conn .. monitor how much connection are there at atime.

5) capture trffic by using

ciscoasa#configure terminal

ciscoasa(config)#access-list captureacl permit ip any host 224.1.2.3

ciscoasa(config)#capture capout interface outside access-list captureacl

ciscoasa(config)#capture capin interface inside access-list captureacl

show capture capout

show capture capin

Monitor unecessary traffic from any HOT from ANY network.

Regards,

Dharmesh Purohit

srue · ‎08-30-2007

Everything i've read says that HTTP inspection does consume lots of resources, that's why it's disabled by default.