Re: Memory high on ASA 5520, can I find out what it is? - Page 2

whiteford · ‎10-20-2008

Hi,

I have a ASA 5520 with 512mb of memory. Over the last fiew months the memory has increased from 25% to and average of 65%.

I have added about 10 VPN's recently which increased in by 10%, but the other part I can only think it's from our WAN. Our WAN is connected to a VLAN on a Cisco 3750 that is trunked to the ASA's 0/2 port.

These VPN's and WAN offices are controlled using numerous ACE's.

Are there any methods to show what could be using the memory?

Thanks

husycisco · ‎10-21-2008

This link will help you to contact TAC

http://www.cisco.com/en/US/support/tsd_contact_technical_support.html

No, 256 MB is not a high memory usage for an ASA, but 130 MB for a single process does not look right. 40MB looks reasonable for fover_parse when your ASA is in A/A failover. I also made a search on internet and have not found any valuable information about "tmatch compile thread" or a report about an abnormal memory consumption by it. You can ask TAC about that process.

Farrukh Haroon · ‎10-21-2008

Well whatever thread it is it seems to cause a lot of bugs, I can locate seven:

Bug ID Status Severity

CSCse92565

Traceback in Thread Name: tmatch compile thread after clear config all Info

Fixed 2

CSCsf25418

Traceback in Thread Name: tmatch compile after assert Info

Fixed 2

CSCsg39502

ASA 7.0.6 Traceback in tmatch compile. Info

Fixed 2

CSCsl32225

Traceback in Thread Name: Checkheaps when Simultaneous login set to 1 Info

Fixed 2

CSCso76239

Traceback on tmatch_compile_thread Info

Terminated 2

CSCsg69149

Policy NAT with large ACL and HA may traceback in tmatch compile thread Info

Fixed 2

CSCsd88914

Traceback in Thread Name: tmatch compile thread Info

Fixed 3

Regards

Farrukh

whiteford · ‎10-22-2008

Hi, I'm on:

sh ver

Cisco Adaptive Security Appliance Software Version 8.0(3)

Device Manager Version 6.0(3)

Compiled on Tue 06-Nov-07 22:59 by builders

System image file is "disk0:/asa803-k8.bin"

Do I need to upgrade?

Farrukh Haroon · ‎10-22-2008

In my humble opinion it would be best to log a case with Cisco TAC and have them suggest you a suitable version (or any workaround) for this issue.

Regards

Farrukh

abinjola · ‎10-22-2008

give me .."sh mem detail" output

whiteford · ‎10-22-2008

Hi, here it is attached

abinjola · ‎10-22-2008

Now this requires decoding of fragment sizes using TAC internal tools, please open a TAC case, call 1-800-553-2447

whiteford · ‎10-23-2008

Hi,

TAC said the memory is not high (260mb) and sad "tmatch compile thread" is the memory process dealing wth my ACL's, so not much I can do about that.

He said I could do:

asa(config)#no threat-detection basic-threat

asa(config)#no threat-detection statistics access-list

"Please note that the bug indicates that you would need to remove "threat

detection" configuration and reboot the device in order to reclaim the

memory and this will work only if you are facing memory issues."

Thing is those 2 commands sound lke important security features, are they worth turninig off?

Also I have IPS AIM-10 yet to be turned on, will this take over anyway?

Farrukh Haroon · ‎10-24-2008

The threat detection is not really a 'critical' feature of the firewall and can be turned off. It was introduced not so long ago. Its capabilites are also pretty limited interms of analyzing attack dynamics.

There are some features/signatures with the IPS which can takeover, but there is no real integration b/w the Cisco ASA and IPS module. They are two separate entities sharing the same metal case :).

Regards

Farrukh