Memory usage after upgrade to 8.03

chris.harwell · ‎01-03-2008

After the upgrade from 7.2.3 on the ASA to 8.0.3 our memory usage went from 80-85MB to 350MB. Cisco says it's is ok. Anyone else seeing this?

MMazuhelli_2 · ‎01-04-2008

Hi,

I upgraded our ASA5540 yesterday and found the same thing: used memory went from 500-600 megs to 880 (of 1024). I turnd off the threat-detection statistics that I had turned on and saved about 100 megs (down to 775). I am concerned that we could run out of memory.

This is on a busy university network with lots of connections!

Regards,

Marc.

chris.harwell · ‎01-04-2008

Thanks Marc for the insight!

Are you using the new dashboard stats as well? I was going to turn those off and see what happened.

Thanks again!

Chris Harwell

MMazuhelli_2 · ‎01-04-2008

Hi Chris,

The "threat-detection" statistics that I turned off are used for the right part of the new firewall dashboard.

The "top 10 access rules" graph at the top needs the following stats:

threat-detection statistics access-list

The "top 10 services", "top 10 sources" and "top 10 destinations" need the following stats:

threat-detection statistics port

threat-detection statistics protocol

threat-detection statistics host

(it's easy to determine this with the "preview commands before sending them to the device" option turned on in tools->preferences).

These are the stats that I initially turned on; turning them off (no threat-detection ...) saved us about 100 megs of memory.

As for the left part of the dashboard (connection stats, dropped packet rates and possible scan and SYN attack rates), I still have these graphs, I don't think anything has to be turned on to collect these stats (so nothing can be turned off to save some more memory).

It's a bit of a shame to have to turn off nice features because they take too much memory... ;-(

Regards,

Marc.

chris.harwell · ‎01-04-2008

AHHH, I didn't realize what I was looking at. I enable those from the dashboard not realizing thats the same config under Config/Firewall/ThreatDetection. I turned mine off and only saved about 5%.

Chris

MMazuhelli_2 · ‎01-11-2008

Hello,

I want to correct my own posting. I wrote:

>As for the left part of the dashboard (connection stats, dropped packet rates

>and possible scan and SYN attack rates), I still have these graphs, I don't think

>anything has to be turned on to collect these stats (so nothing can be turned off

>to save some more memory).

This is only partially true. The two bottom graphs ("dropped packet rates" and "possible scan and SYN attack rates") need the following command to work: "threat-detection basic-threat".

But the second part of what I wrote ("nothing can be turned off to save memory") seems to be true I have found that even if I turn off basic threat detection ("no threat-detection basic-threat"), I save absolutely no memory!

Regards,

Marc.

chris.harwell · ‎01-11-2008

Hey Marc,

No problem. I actually saved 5% turning that off but we are no were near your usage. The "concern" was actually another problem that has since been fixed and I may actually turn it back on. Even with it on I think I'm still under 40% on the CPU. Thanks again for the feedback. It's always interesting to see how other people's "mileage vary".