01-03-2008 04:11 PM - edited 03-09-2019 07:46 PM
After the upgrade from 7.2.3 on the ASA to 8.0.3 our memory usage went from 80-85MB to 350MB. Cisco says it's is ok. Anyone else seeing this?
01-04-2008 06:52 AM
Hi,
I upgraded our ASA5540 yesterday and found the same thing: used memory went from 500-600 megs to 880 (of 1024). I turnd off the threat-detection statistics that I had turned on and saved about 100 megs (down to 775). I am concerned that we could run out of memory.
This is on a busy university network with lots of connections!
Regards,
Marc.
01-04-2008 08:03 AM
Thanks Marc for the insight!
Are you using the new dashboard stats as well? I was going to turn those off and see what happened.
Thanks again!
Chris Harwell
01-04-2008 08:35 AM
Hi Chris,
The "threat-detection" statistics that I turned off are used for the right part of the new firewall dashboard.
The "top 10 access rules" graph at the top needs the following stats:
threat-detection statistics access-list
The "top 10 services", "top 10 sources" and "top 10 destinations" need the following stats:
threat-detection statistics port
threat-detection statistics protocol
threat-detection statistics host
(it's easy to determine this with the "preview commands before sending them to the device" option turned on in tools->preferences).
These are the stats that I initially turned on; turning them off (no threat-detection ...) saved us about 100 megs of memory.
As for the left part of the dashboard (connection stats, dropped packet rates and possible scan and SYN attack rates), I still have these graphs, I don't think anything has to be turned on to collect these stats (so nothing can be turned off to save some more memory).
It's a bit of a shame to have to turn off nice features because they take too much memory... ;-(
Regards,
Marc.
01-04-2008 08:43 AM
AHHH, I didn't realize what I was looking at. I enable those from the dashboard not realizing thats the same config under Config/Firewall/ThreatDetection. I turned mine off and only saved about 5%.
Chris
01-11-2008 11:36 AM
Hello,
I want to correct my own posting. I wrote:
>As for the left part of the dashboard (connection stats, dropped packet rates
>and possible scan and SYN attack rates), I still have these graphs, I don't think
>anything has to be turned on to collect these stats (so nothing can be turned off
>to save some more memory).
This is only partially true. The two bottom graphs ("dropped packet rates" and "possible scan and SYN attack rates") need the following command to work: "threat-detection basic-threat".
But the second part of what I wrote ("nothing can be turned off to save memory") seems to be true I have found that even if I turn off basic threat detection ("no threat-detection basic-threat"), I save absolutely no memory!
Regards,
Marc.
01-11-2008 11:42 AM
Hey Marc,
No problem. I actually saved 5% turning that off but we are no were near your usage. The "concern" was actually another problem that has since been fixed and I may actually turn it back on. Even with it on I think I'm still under 40% on the CPU. Thanks again for the feedback. It's always interesting to see how other people's "mileage vary".
Discover and save your favorite ideas. Come back to expert answers, step-by-step guides, recent topics, and more.
New here? Get started with these tips. How to use Community New member guide