I have recently found a “feature” with large configurations on ASA firewalls.
The Cisco ASA5510 has 1024KB of NVRAM, the customers configuration had grown to approx 2000 lines and was approaching 100KB when saving.
When this configuration was put on the ASA a variety of errors were seen (replicated on 8.2.3, 8.2.5, 8.4.3):
Unable to create high modulus SSH keys, but could create keys with modulus of 512
Error on write mem
ERROR: Out of memory in nv_open()
ca save all failed.
ASDM works before config pasted in, but not after
Error on running any command
*** Error: hist_save() failed on malloc
Error on show flash
FW# sh flash
--#-- --length-- -----date/time------ path
%Error opening disk0:/ (Cannot allocate memory)
After, optimising the config by summarising some /24s into /16s I removed approx. 400 lines of config, the config is now 85KB but everything is working correctly. For reference the config is so big because they have 120 site to site VPNs configured as backup connections for their WAN. Considering the ASA 5510 supports 250 concurrent VPN connections, this seems like a bit of an oversight!!!!
I have searched for a way to adjust the resources with no success, has anyone found a way to use more space in the NVRAM and have a larger configuration?
Table of ContentsIntroductionVersion HistoryPossible Future
UpdatesDocuments PurposeNAT Operation in ASA 8.3+ SectionsRule Types
Network Object NATTwice NAT / Manual NATRule Types used per SectionNAT
Types used with Twice NAT / Manual NAT and Network Obje...
Table of Contents Introduction:This document describes details on how
NAT-T works. Background: ESP encrypts all critical information,
encapsulating the entire inner TCP/UDP datagram within an ESP header.
ESP is an IP protocol in the same sense that TCP an...