ASA 5550 block memory depleted

Answered Question
Sep 27th, 2011
User Badges:

Currently running (2) ASA 5550's in LAN failover configuration ASA ver 8.3(2) . Intermittently the firewall will failover. And it will do this several times with a half hour or so time frame. Error message in syslogs is:


%ASA-3-105010   which is "Block memory was depleted. This is a transient message and the adaptive security appliance should recover.


Recommended Action: Use the show blocks command to monitor the current block memory.



What could be causing this issue? Is there a fix for this issue?

Correct Answer by mirober2 about 5 years 6 months ago

Hi Kristen,


As a best practice, yes all interfaces should have a standby IP address assigned. If you have 'logging standby' enabled, this would be enough to trigger the bug I mentioned before. I would suggest adding the standby IP address to the management interface and then monitoring to ensure the block depletion stops.


Hope that helps.


-Mike

  • 1
  • 2
  • 3
  • 4
  • 5
Overall Rating: 5 (1 ratings)
Loading.
mirober2 Tue, 09/27/2011 - 08:41
User Badges:
  • Cisco Employee,

Hi Kristen,


Which block sizes are being depleted? Can you post the output of 'show block' for us?


-Mike

Kristen Sims Tue, 09/27/2011 - 08:51
User Badges:

Size          Max          Low          CNT

       0           1450       1401          1450

       4              900          899              899

      80           5660        5525          5660

     256          3864         3608          3864

   1550        20000           0              19723

    2048        6100          6076          6100

    2560        7320          7320          7320

    4096         100           100             100

    8192          100           100             100

16384             200           200             200

65536               16              16              16



Thank you!













mirober2 Tue, 09/27/2011 - 08:56
User Badges:
  • Cisco Employee,

Hi Kristen,


By any chance, do you have 'logging standby' configured? If so, does every interface have a standby IP address configured? If any interfaces are missing a standby IP (you can check the output of 'show failover'), you may be running into this bug:


CSCtk68555 - 1550 and 256 byte blocks may leak to 0 causing failover and data issues

http://tools.cisco.com/Support/BugToolKit/search/getBugDetails.do?method=fetchBugDetails&bugId=CSCtk68555


If this is the case, you can disable 'logging standby' or assign standby IP address to each and every interface as a workaround.


-Mike

Kristen Sims Tue, 09/27/2011 - 09:01
User Badges:

I do have a standby IP address configured for every interface except the management interface. Should I configure a standby on the management interface?

Correct Answer
mirober2 Tue, 09/27/2011 - 09:03
User Badges:
  • Cisco Employee,

Hi Kristen,


As a best practice, yes all interfaces should have a standby IP address assigned. If you have 'logging standby' enabled, this would be enough to trigger the bug I mentioned before. I would suggest adding the standby IP address to the management interface and then monitoring to ensure the block depletion stops.


Hope that helps.


-Mike

Actions

This Discussion