ASA High Memory utilization and random lockouts

Unanswered Question
Oct 24th, 2007

We have 2 ASA 5520's running Active/Standby with the cable based failover. At random times perhaps once our twice a week we will get calls that RA VPN users cannot connect, RA users connect with the Cisco VPN client. Also most often during this time we cannot telnet into the "primary" ASA, but we can "usually" access it via the ASDM where we will see that the memory utilization is in the upper 90% range and perhaps as high as 98% consistently. To help temporarily solve the issue we have to telnet to the "secondary" ASA which we can usually access via telnet and perform a "failover active" which will failover the primary and make the secondary become the active and vice versus. Has anyone seen this issue. I have opened up several TAC cases and have not had much help. Thanks in advance!

I have this problem too.
0 votes
  • 1
  • 2
  • 3
  • 4
  • 5
Overall Rating: 0 (0 ratings)
Loading.
marcobinda Thu, 10/25/2007 - 04:42

Hi Brandon,

it is important to know what version are running your ASAs [ie 7.0(4)] and to collect some log, you can set it to error level (logging buffered errors), with the logging standby, so all of the message should be replicated on the standby unit.

even the show crashinfo could give you useful info.

show crashinfo

: Saved_Crash

Thread Name: vpnfo_thread_msg (Old pc 0x00b47b80 ebp 0x01c60634)

You can check the caveats for you release from the cisco site, This link is for the 7.0(4)

http://www.cisco.com/en/US/docs/security/pix/pix70/release/notes/pix704rn.html#wp32426

It could be a known bug solved in newer image.

Here you can find useful info to perfom a zer o downtime upgrade.

http://www.cisco.com/en/US/docs/security/asa/asa72/configuration/guide/mswlicfg.html

Regards,

Marco.

mbroberson1 Thu, 10/25/2007 - 06:43

I did find a possibility. It looks like the high memory usage could be a cosmetic bug. But we still from time to time, perhaphs once or twice a week get calls saying that RA VPN client users can't connect. Below is a link to the bug.

http://tools.cisco.com/Support/BugToolKit/search/getBugDetails.do?method=fetchBugDetails&bugId=CSCsh78681&from=summary

We are on the following code.

Cisco Adaptive Security Appliance Software Version 7.2(2)19

Device Manager Version 5.2(2)61

mbroberson1 Thu, 10/25/2007 - 07:06

Attached is a show version from our ASA.

Thanks for your reply. When this issue is making access difficult, yes I can get into the ASA via the console port and also the ASDM...kind of strange I know. We are logging, but I have yet to see anything leading to a viable reason. Attached is the sh ver from the ASA.

Thanks,

Brandon

Attachment: 
Matt Boeckner Fri, 01/09/2009 - 08:44

I am having the same problem on a 5510 running 8.0.4 code. Memory is constantly at 88%. and at times the device basically locks up. unable to telnet or ASDM, but can console.

Traffic does not pass through. Rebooting seems to clear it.

I was thinking that possibly the DRAM memory would need to be increased, but you cannot upgrade the DRAM any higher that want it ships with.

Did you ever find a resolution to your problem?

Actions

This Discussion