I have a ASA 5520 with 512mb of memory. Over the last fiew months the memory has increased from 25% to and average of 65%.
I have added about 10 VPN's recently which increased in by 10%, but the other part I can only think it's from our WAN. Our WAN is connected to a VLAN on a Cisco 3750 that is trunked to the ASA's 0/2 port.
These VPN's and WAN offices are controlled using numerous ACE's.
Are there any methods to show what could be using the memory?
Click on following link and try to troubleshoot.
Our Internet pipe (VPN's come in) just went down for 10 mins, and the memory didn't change which makes me think the Internet and VPN's haven't caused the memory to increase.
Here is my output:
Free memory: 191530360 bytes (36%)
Used memory: 345340552 bytes (64%)
Total memory: 536870912 bytes (100%)
show xlate count
514 in use, 1223 most used
sh conn count
810 in use, 1915 most used
SIZE MAX LOW CNT
0 100 62 100
4 728 727 727
80 700 683 700
256 612 579 612
1550 8881 7314 7583
2048 2612 2339 2358
2560 164 164 164
4096 100 100 100
8192 100 100 100
16384 230 230 230
65536 16 16 16
If you enabled buffered logging, or you have ASDM 6.0 with IOS 8.0, the Top 10 usage services consume a lot of memory. Disable it by following command
no threat-detection statistics host
no threat-detection statistics port
no threat-detection statistics protocol
Hi, How did u determine that the top 10 services are consuming the high memory and what shd be the normal statics. Thanks
I do have buffering enabled, and do use ADSM 6.x with IOS 8.x and I do see these top 10 usage stats.
I will run those commands into the CLI and get back to you!
Buffering does not affect that much, it can stay, but Top 10 usage does! A relaoad after disabling Top 10 usage is necessary.
This is one of the popular reasons for high memory consumption that use IOS 8.x and ASDM 6.x. There is no specific output from Andy's previous post proves that
Do I need a reload?
I disabled them and my memory went from 329mb to 276mb instantly! Pretty good start :)
These 2 remain though, do I still need them?
threat-detection statistics access-list
Let these two stay. basic threat detection is a new feature that comes with IOS 8.0. It checks for specific rates of traffic flows and sends syslog messages when something unusual occurs. If you like you can disable it and see if its memory usage is considerable.
A Reload may work for a lower usage.
I was just wondering if you or anyone could look at my memory process output and see what is using the memory?
I don't have the knowledge/experience to understand this output yet.
Thanks in advance for you time spent helping me out.
Oh... I have posted here something but it doesnt appear, sometimes responses do not post.
Without having any idea about your device utilization, "tmatch compile thread" consumes way too high memory in my opinion (130MB+) . Never heard of that thread before, looks like a TAC issue. Also fover_parse consumes memory (40MB+), do you have a failover configuration?
I read some bugs related to fover process in IOS 8.0.3(6). I suggest you to upgrade your IOS to 8.0.3(12) or higher.
How do I contact TAC, I have never done this before? I have a Smartnet for this firewall.
I do have a failover ASA 5520 too in active/standby mode.
Is 256mb memory high for an ASA? I have about 12 VLAN's (sub interfaces for webservers, and a WAN for 6 offices), 10 VPN's, 30 remote users, 600 users on the inside.
This link will help you to contact TAC
No, 256 MB is not a high memory usage for an ASA, but 130 MB for a single process does not look right. 40MB looks reasonable for fover_parse when your ASA is in A/A failover. I also made a search on internet and have not found any valuable information about "tmatch compile thread" or a report about an abnormal memory consumption by it. You can ask TAC about that process.
Well whatever thread it is it seems to cause a lot of bugs, I can locate seven:
Bug ID Status Severity
Traceback in Thread Name: tmatch compile thread after clear config all Info
Traceback in Thread Name: tmatch compile after assert Info
ASA 7.0.6 Traceback in tmatch compile. Info
Traceback in Thread Name: Checkheaps when Simultaneous login set to 1 Info
Traceback on tmatch_compile_thread Info
Policy NAT with large ACL and HA may traceback in tmatch compile thread Info
Traceback in Thread Name: tmatch compile thread Info
Hi, I'm on:
Cisco Adaptive Security Appliance Software Version 8.0(3)
Device Manager Version 6.0(3)
Compiled on Tue 06-Nov-07 22:59 by builders
System image file is "disk0:/asa803-k8.bin"
Do I need to upgrade?
In my humble opinion it would be best to log a case with Cisco TAC and have them suggest you a suitable version (or any workaround) for this issue.
Now this requires decoding of fragment sizes using TAC internal tools, please open a TAC case, call 1-800-553-2447
TAC said the memory is not high (260mb) and sad "tmatch compile thread" is the memory process dealing wth my ACL's, so not much I can do about that.
He said I could do:
asa(config)#no threat-detection basic-threat
asa(config)#no threat-detection statistics access-list
"Please note that the bug indicates that you would need to remove "threat
detection" configuration and reboot the device in order to reclaim the
memory and this will work only if you are facing memory issues."
Thing is those 2 commands sound lke important security features, are they worth turninig off?
Also I have IPS AIM-10 yet to be turned on, will this take over anyway?
The threat detection is not really a 'critical' feature of the firewall and can be turned off. It was introduced not so long ago. Its capabilites are also pretty limited interms of analyzing attack dynamics.
There are some features/signatures with the IPS which can takeover, but there is no real integration b/w the Cisco ASA and IPS module. They are two separate entities sharing the same metal case :).