10-20-2008 06:02 AM - edited 03-11-2019 06:59 AM
Hi,
I have a ASA 5520 with 512mb of memory. Over the last fiew months the memory has increased from 25% to and average of 65%.
I have added about 10 VPN's recently which increased in by 10%, but the other part I can only think it's from our WAN. Our WAN is connected to a VLAN on a Cisco 3750 that is trunked to the ASA's 0/2 port.
These VPN's and WAN offices are controlled using numerous ACE's.
Are there any methods to show what could be using the memory?
Thanks
10-21-2008 01:39 PM
This link will help you to contact TAC
http://www.cisco.com/en/US/support/tsd_contact_technical_support.html
No, 256 MB is not a high memory usage for an ASA, but 130 MB for a single process does not look right. 40MB looks reasonable for fover_parse when your ASA is in A/A failover. I also made a search on internet and have not found any valuable information about "tmatch compile thread" or a report about an abnormal memory consumption by it. You can ask TAC about that process.
10-21-2008 09:59 PM
Well whatever thread it is it seems to cause a lot of bugs, I can locate seven:
Bug ID Status Severity
CSCse92565
Traceback in Thread Name: tmatch compile thread after clear config all Info
Fixed 2
CSCsf25418
Traceback in Thread Name: tmatch compile after assert Info
Fixed 2
CSCsg39502
ASA 7.0.6 Traceback in tmatch compile. Info
Fixed 2
CSCsl32225
Traceback in Thread Name: Checkheaps when Simultaneous login set to 1 Info
Fixed 2
CSCso76239
Traceback on tmatch_compile_thread Info
Terminated 2
CSCsg69149
Policy NAT with large ACL and HA may traceback in tmatch compile thread Info
Fixed 2
CSCsd88914
Traceback in Thread Name: tmatch compile thread Info
Fixed 3
Regards
Farrukh
10-22-2008 12:06 AM
Hi, I'm on:
sh ver
Cisco Adaptive Security Appliance Software Version 8.0(3)
Device Manager Version 6.0(3)
Compiled on Tue 06-Nov-07 22:59 by builders
System image file is "disk0:/asa803-k8.bin"
Do I need to upgrade?
10-22-2008 12:11 AM
In my humble opinion it would be best to log a case with Cisco TAC and have them suggest you a suitable version (or any workaround) for this issue.
Regards
Farrukh
10-22-2008 12:41 AM
give me .."sh mem detail" output
10-22-2008 01:59 AM
10-22-2008 05:44 AM
Now this requires decoding of fragment sizes using TAC internal tools, please open a TAC case, call 1-800-553-2447
10-23-2008 12:39 PM
Hi,
TAC said the memory is not high (260mb) and sad "tmatch compile thread" is the memory process dealing wth my ACL's, so not much I can do about that.
He said I could do:
asa(config)#no threat-detection basic-threat
asa(config)#no threat-detection statistics access-list
"Please note that the bug indicates that you would need to remove "threat
detection" configuration and reboot the device in order to reclaim the
memory and this will work only if you are facing memory issues."
Thing is those 2 commands sound lke important security features, are they worth turninig off?
Also I have IPS AIM-10 yet to be turned on, will this take over anyway?
10-24-2008 09:27 PM
The threat detection is not really a 'critical' feature of the firewall and can be turned off. It was introduced not so long ago. Its capabilites are also pretty limited interms of analyzing attack dynamics.
There are some features/signatures with the IPS which can takeover, but there is no real integration b/w the Cisco ASA and IPS module. They are two separate entities sharing the same metal case :).
Regards
Farrukh
Discover and save your favorite ideas. Come back to expert answers, step-by-step guides, recent topics, and more.
New here? Get started with these tips. How to use Community New member guide