Cisco Support Community
cancel
Showing results for 
Search instead for 
Did you mean: 
Announcements

Welcome to Cisco Support Community. We would love to have your feedback.

For an introduction to the new site, click here. And see here for current known issues.

New Member

ASA 5505 crashes and reboots

Hi,

any advice on real-world performance of an ASA 5505? I have run into crash-and-reboot issues with my 5505 after setting up a pretty big ruleset. The ruleset is created by a script (http://stefan.gofferje.net/it-stuff/cisco-systems/201-block-a-whole-country-with-a-cisco-asa) that pulls country IP blocks from ipdeny.com and creates network objects for China, Korea and Palestine. The resulting object list is roundabout 6000 lines (example: http://home.gofferje.net/blocklist.asa). I then have rules in outside_access_in which deny and log connections from those 3 network objects.

Now, when the traffic on my ASA is going high, it seems to crash and reboot. I log to a syslog server and the last thing I see is something like this:

Oct 15 12:49:28 192.168.10.254 %ASA-4-711004: Task ran for 24466 msec, Process = Dispatch Unit, PC = 9c03a65, Call stack = 0x09c03a65  0x09c04130  0x08fc2a70  0x08fec7ab  0x08065afc  0x08066167  0x090ef243  0xffffe410  0x09bdd9ac  0x09bdfb7b  0x0916849e  0x09be5fae  0x08a5e1dd  0x08a5e93a

My ASA is running 9.2(2), just bought it a few weeks ago. My internet connection is 100MBit.

-Stefan

4 REPLIES
Super Bronze

Hi, I presume that you have

Hi,

 

I presume that you have local servers to which you want to generally allow traffic BUT want to block traffic from the mentioned external subnets/networks? If so then the interesting question would be how you have configured the actual ACL? Do you have the "object-group" mentioned in use on your ASA and is it used in multiple times in the same ACL for different destination servers?

 

Cisco documentation recomends a maximum of 25k ACEs in ACLs for ASA5505. Considering the amount of objects in those "object-group" you would easily go over that recomended limit if you had a few servers for which you had rules using these "object-group".

 

For example

 

access-list OUTSIDE-IN deny ip object-group block-CN host x.x.x.x
access-list OUTSIDE-IN deny ip object-group block-KR host x.x.x.x
access-list OUTSIDE-IN deny ip object-group block-PS host x.x.x.x


access-list OUTSIDE-IN deny ip object-group block-CN host y.y.y.y
access-list OUTSIDE-IN deny ip object-group block-KR host y.y.y.y
access-list OUTSIDE-IN deny ip object-group block-PS host y.y.y.y


access-list OUTSIDE-IN deny ip object-group block-CN host z.z.z.z
access-list OUTSIDE-IN deny ip object-group block-KR host z.z.z.z
access-list OUTSIDE-IN deny ip object-group block-PS host z.z.z.z

 

 

Would result in approx. 18k ACL rules? Even more so if you have even more destination addresses to which the traffic is blocked.

 

Have you checked your memory usage on the ASA at the moment?

 

show memory

 

You should be able to view the amount of ACEs in the ACL with the command

 

show access-list outside_access_in | inc elements

 

Cisco states that each ACE uses at minimum 212 bytes of RAM. Cisco also mentions that the performance decredation is around 10-15% if the recomended ACE amount is reached or exceeded. There does not seem to be any set maximum limit. It should only be limited by the amount of RAM.

 

- Jouni

 

New Member

Nope, I blocked to any

Nope, I blocked to any because I don't see any legitimate traffic from China, Korea or Palestine to my network.

I did the rules in ASDM by inserting a rule on the first position of outside_access_in which said access from outside:block-CN outside:block-KR and outside:block-PS to any deny.

ASDM made ~6000  access-list extended line 1 from outside <ip> <netmask> to any deny out of that. Memory usage was around 350MB/512MB.

Super Bronze

Hi, Are the "object-group"

Hi,

 

Are the "object-group" updated regularly by some script running somewhere?

 

The "object-group" listing seems to have a command that first removes the "object-group" and then creates it again. If this "object-group" exists in an ACL then that should mean that the script can not remove the "object-group" unless it first removes the ACL lines (or any configurations) using the said "object-group". If the ACLs lines are not removed first then it would seem to me that inserting the mention configurations will simply add many subnets/networks again with no result (if they exist) or possibly adds some new ones.

 

I am not sure if the case is the one mentioned above. Maybe not. But if it is, maybe its related to the problem.

 

I guess Cisco TAC could probably easily check what the problem is but I would imagine that using such a large "object-group" or modifying it "on the fly" might have something to do with the problem.

 

- Jouni

New Member

That was the plan originally

That was the plan originally but I didn't get to the automatic update yet. I was still in the testing phase for the ruleset. Automatic update would have been the next step.

200
Views
0
Helpful
4
Replies