Cisco Support Community
cancel
Showing results for 
Search instead for 
Did you mean: 
Announcements

Welcome to Cisco Support Community. We would love to have your feedback.

For an introduction to the new site, click here. If you'd prefer to explore, try our test area to get started. And see here for current known issues.

New Member

CSCue51351 - ASA Huge NAT config causes traceback due to unbalanced p3 tree

Hi ASA experts

CSCue51351 - ASA Huge NAT config causes traceback due to unbalanced p3 tree

I want to Know that How huge?

Below, This DDTs Condition is SSP60.

----------------------

Symptom:

ASA running 8.4(4)9 version code may generate a traceback with Thread Name: DATAPATH-7-2315 and reload.

Conditions:

Observed on ASA5585-SSP-60 running in failover environment.

Workaround:

None

----------------------

SSP60 can perform up to 10,000,000 concurrent sessions.

Is it over 10,000,000 concurrent sessions ?

Regards.

Mot

2 ACCEPTED SOLUTIONS

Accepted Solutions
Silver

CSCue51351 - ASA Huge NAT config causes traceback due to unbalan

Hi Mot,

This defect does not affect the number of concurrent sessions.

Instead, this defect only comes in to play if you have a large number of NAT or ACL statements (say 25k +) which you are modifying and at the same time the device is processing a large number of new connections/second (say 20k+), only then is there the potential of running into this issue.

Sincerely,

David.

Silver

CSCue51351 - ASA Huge NAT config causes traceback due to unbalan

Hi Mot,

The mode does not matter.  Meaning, this applies to single context mode, or if in multi-context mode, then the 25k NAT would need to be all in one context, while that context is also receiving 25Kcps.

Note - the issue occurs mainly because of the large NAT table, but high conn/sec rates elevate the CPU, causing it to spend more time processing new connection requests, and the NAT code does not get enough run time to re-balance the compiled tree, causing an imbalance.  This imbalance can become very large (ie: lopsided), causing a watchdog timer to fire, crashing the ASA.

Sincerely,

David.

5 REPLIES
Silver

CSCue51351 - ASA Huge NAT config causes traceback due to unbalan

Hi Mot,

This defect does not affect the number of concurrent sessions.

Instead, this defect only comes in to play if you have a large number of NAT or ACL statements (say 25k +) which you are modifying and at the same time the device is processing a large number of new connections/second (say 20k+), only then is there the potential of running into this issue.

Sincerely,

David.

New Member

CSCue51351 - ASA Huge NAT config causes traceback due to unbalan

Hi David,

Thank you for great informations!

I am relieved to hear that. (my customers, too)

Regards,

Mot.

New Member

CSCue51351 - ASA Huge NAT config causes traceback due to unbalan

Hi David,

I have the additional questions.

In this enviroment ( 25K NAT / ACL and 25Kcps) ,

Which mode did you use Mult-Context or Single Mult-Context ?

Would you please tell me that enviroment is Per device or Per contexts.

Silver

CSCue51351 - ASA Huge NAT config causes traceback due to unbalan

Hi Mot,

The mode does not matter.  Meaning, this applies to single context mode, or if in multi-context mode, then the 25k NAT would need to be all in one context, while that context is also receiving 25Kcps.

Note - the issue occurs mainly because of the large NAT table, but high conn/sec rates elevate the CPU, causing it to spend more time processing new connection requests, and the NAT code does not get enough run time to re-balance the compiled tree, causing an imbalance.  This imbalance can become very large (ie: lopsided), causing a watchdog timer to fire, crashing the ASA.

Sincerely,

David.

New Member

CSCue51351 - ASA Huge NAT config causes traceback due to unbalan

Hi David,

Thank you for the quick response and great infomations!

Regards,

Mot.

289
Views
0
Helpful
5
Replies