×

Warning message

  • Cisco Support Forums is in Read Only mode while the site is being migrated.
  • Cisco Support Forums is in Read Only mode while the site is being migrated.

PIX 515E - High Memory Utilization

Unanswered Question
Feb 14th, 2012
User Badges:

Hi Experts ,


We are experiencing high memory utilization in PIX 515E firewall . It has 128MB DRAM and the average utilization stays mostly at 99% which is quite a concern now . Remote Access VPN Users are unable to connect with the following error when tried connecting

"Secure VPN Connection terminated by Peer . Reason 433 (Reason Not Specified by Peer ) "

Can it be because of the high memory utilization ?

Also note that we have Failover mechnism enabled with Primary/Secondary , Active /Standby configuration. Due to the high memory utilization we are also unable to write the configuration to memory as well . The following error shows up

------------------------------------------------

C17440-BJ08-PIX2# write memory

Building configuration...

No memory available


Error executing command

[FAILED]

-------------------------------------------------


The #show memory statistics are as given below


-------------------------------------------------

C17440-BJ08-PIX2# sh memory

Free memory:         1819856 bytes ( 1%)

Used memory:       132397872 bytes (99%)

-------------     ----------------

Total memory:      134217728 bytes (100%)

C17440-BJ08-PIX2#

---------------------------------------------------

The # sh version details are as given below

---------------------------------------------------

C17440-BJ08-PIX2# sh ver


Cisco PIX Security Appliance Software Version 7.2(4)

Device Manager Version 5.2(4)


Compiled on Sun 06-Apr-08 13:39 by builders

System image file is "flash:/image.bin"

Config file at boot was "startup-config"


C17440-BJ08-PIX2 up 1 hour 39 mins

failover cluster up 1 year 49 days


Hardware:   PIX-515E, 128 MB RAM, CPU Pentium II 433 MHz

Flash E28F128J3 @ 0xfff00000, 16MB

BIOS Flash AM29F400B @ 0xfffd8000, 32KB


0: Ext: Ethernet0           : address is 001d.a215.5878, irq 10

1: Ext: Ethernet1           : address is 001d.a215.5879, irq 11


Licensed features for this platform:

Maximum Physical Interfaces : 6

Maximum VLANs               : 25

Inside Hosts                : Unlimited

Failover                    : Active/Active

VPN-DES                     : Enabled

VPN-3DES-AES                : Enabled

Cut-through Proxy           : Enabled

Guards                      : Enabled

URL Filtering               : Enabled

Security Contexts           : 2

GTP/GPRS                    : Disabled

VPN Peers                   : Unlimited


This platform has an Unrestricted (UR) license.


Serial Number: 907380160

Running Activation Key: 0xf72c7fe2 0x81fb96d9 0x70dab81b 0x67d49718

Configuration last modified by enable_1 at 12:26:39.880 UTC Tue Feb 14 2012

----------------------------------------------------------------

Is it normal for the PIX to have such high memory utilization ? How I can I probably reduce the memory utilization ?How can I upgrade the memory if I need to ? What kind of a memory should I be using for upgrade ?


Please suggest


Many Thanks ,

Anup

  • 1
  • 2
  • 3
  • 4
  • 5
Overall Rating: 4 (2 ratings)
Loading.
mvsheik123 Tue, 02/14/2012 - 18:58
User Badges:
  • Gold, 750 points or more

99% is definitely issue. Based on the below link, it appears 128MB is max for the failover pair. Did you check the translations (show xlate)? Try to clear the translations if this seems to be the issue. Also, try reboot and if the issue still exists, you may be hitting a bug. Try to contact TAC. Iam not sure if the support is still available for PIX, but give a try.



http://www.cisco.com/en/US/prod/collateral/vpndevc/ps5708/ps5709/ps2030/prod_bulletin0900aecd8023c8d4.html


hth

MS 

Anup Sasikumar Tue, 02/21/2012 - 00:31
User Badges:

Hi MS ,



A valid Service Contract for the device is required to contact TAC , right ?


Thanks ,

Anup

Patrick0711 Wed, 02/15/2012 - 21:59
User Badges:
  • Bronze, 100 points or more

-perform the following:


show blocks


Look for any blocks that have a low count at or near 0.  The 1550 block being exhausted is indicative of your interfaces being overrun.  You will likely see large 'no buffer' counters when you perform a 'show interfaces' command.  If other blows show low counts near 0, you can likely pinpoint your issue from there by checking the command reference for explanations of the other blocks


-Is your NAT 0 configuration large?  Poorly appied NAT 0 configurations can cause a huge amount of entries in the NAT table which can consume memory.


-Similarly, very large crypto configurations with large crypto access-list configurations can cause the  security association database and the security policy database to grow very large which can also consume memory


What's your config like?

Anup Sasikumar Tue, 02/21/2012 - 00:35
User Badges:

Hi Patrick ,


Can a large running congiguration with lots of IP based blocking be the cause of a memory utilization issue ?

We have provided access to external servers by adding those into an object group and then mentioning the group into an access list . Would reconfguring them based on a network or a subnet help in reducing the memory utilization . Is it someway related ?


Thanks ,

Anup

Anup Sasikumar Wed, 02/22/2012 - 13:04
User Badges:

Hi all ,


The issue is been successfully resolved now . The  configuration had a huge number of network objects which was public IP  based . It was all summarized to networks and the new network objects  were created with summarized networks . The IP based network objects  were removed from the onfiguration as well. As soon as the objects were  removed the memory utilization went down and it is now at a less  critical 78% .


Thanks ,

Anup

Actions

This Discussion

Related Content