ASA 5550 block memory depleted

Answered Question
Sep 27th, 2011

Currently running (2) ASA 5550's in LAN failover configuration ASA ver 8.3(2) . Intermittently the firewall will failover. And it will do this several times with a half hour or so time frame. Error message in syslogs is:

%ASA-3-105010   which is "Block memory was depleted. This is a transient message and the adaptive security appliance should recover.

Recommended Action: Use the show blocks command to monitor the current block memory.

What could be causing this issue? Is there a fix for this issue?

I have this problem too.
0 votes
Correct Answer by mirober2 about 2 years 6 months ago

Hi Kristen,

As a best practice, yes all interfaces should have a standby IP address assigned. If you have 'logging standby' enabled, this would be enough to trigger the bug I mentioned before. I would suggest adding the standby IP address to the management interface and then monitoring to ensure the block depletion stops.

Hope that helps.

-Mike

  • 1
  • 2
  • 3
  • 4
  • 5
Average Rating: 5 (1 ratings)
mirober2 Tue, 09/27/2011 - 08:41

Hi Kristen,

Which block sizes are being depleted? Can you post the output of 'show block' for us?

-Mike

Kris55s_2 Tue, 09/27/2011 - 08:51

Size          Max          Low          CNT

       0           1450       1401          1450

       4              900          899              899

      80           5660        5525          5660

     256          3864         3608          3864

   1550        20000           0              19723

    2048        6100          6076          6100

    2560        7320          7320          7320

    4096         100           100             100

    8192          100           100             100

16384             200           200             200

65536               16              16              16



Thank you!













mirober2 Tue, 09/27/2011 - 08:56

Hi Kristen,

By any chance, do you have 'logging standby' configured? If so, does every interface have a standby IP address configured? If any interfaces are missing a standby IP (you can check the output of 'show failover'), you may be running into this bug:

CSCtk68555 - 1550 and 256 byte blocks may leak to 0 causing failover and data issues

http://tools.cisco.com/Support/BugToolKit/search/getBugDetails.do?method=fetchBugDetails&bugId=CSCtk68555

If this is the case, you can disable 'logging standby' or assign standby IP address to each and every interface as a workaround.

-Mike

Kris55s_2 Tue, 09/27/2011 - 09:01

I do have a standby IP address configured for every interface except the management interface. Should I configure a standby on the management interface?

Correct Answer
mirober2 Tue, 09/27/2011 - 09:03

Hi Kristen,

As a best practice, yes all interfaces should have a standby IP address assigned. If you have 'logging standby' enabled, this would be enough to trigger the bug I mentioned before. I would suggest adding the standby IP address to the management interface and then monitoring to ensure the block depletion stops.

Hope that helps.

-Mike

Actions

Login or Register to take actions

This Discussion

Posted September 27, 2011 at 7:57 AM
Stats:
Replies:6 Avg. Rating:5
Views:1084 Votes:0
Shares:0
Tags: No tags.

Discussions Leaderboard

Rank Username Points
1 7,861
2 6,140
3 3,170
4 1,473
5 1,446