Cisco Support Community
cancel
Showing results for 
Search instead for 
Did you mean: 
New Member

Memory high on ASA 5520, can I find out what it is?

Hi,

I have a ASA 5520 with 512mb of memory. Over the last fiew months the memory has increased from 25% to and average of 65%.

I have added about 10 VPN's recently which increased in by 10%, but the other part I can only think it's from our WAN. Our WAN is connected to a VLAN on a Cisco 3750 that is trunked to the ASA's 0/2 port.

These VPN's and WAN offices are controlled using numerous ACE's.

Are there any methods to show what could be using the memory?

Thanks

23 REPLIES
New Member

Re: Memory high on ASA 5520, can I find out what it is?

New Member

Re: Memory high on ASA 5520, can I find out what it is?

Our Internet pipe (VPN's come in) just went down for 10 mins, and the memory didn't change which makes me think the Internet and VPN's haven't caused the memory to increase.

Here is my output:

show memory

Free memory: 191530360 bytes (36%)

Used memory: 345340552 bytes (64%)

------------- ----------------

Total memory: 536870912 bytes (100%)

show xlate count

514 in use, 1223 most used

sh conn count

810 in use, 1915 most used

sh blocks

SIZE MAX LOW CNT

0 100 62 100

4 728 727 727

80 700 683 700

256 612 579 612

1550 8881 7314 7583

2048 2612 2339 2358

2560 164 164 164

4096 100 100 100

8192 100 100 100

16384 230 230 230

65536 16 16 16

Re: Memory high on ASA 5520, can I find out what it is?

Hello Andy,

If you enabled buffered logging, or you have ASDM 6.0 with IOS 8.0, the Top 10 usage services consume a lot of memory. Disable it by following command

no threat-detection statistics host

no threat-detection statistics port

no threat-detection statistics protocol

Regards

New Member

Re: Memory high on ASA 5520, can I find out what it is?

Hi, How did u determine that the top 10 services are consuming the high memory and what shd be the normal statics. Thanks

New Member

Re: Memory high on ASA 5520, can I find out what it is?

Hi,

I do have buffering enabled, and do use ADSM 6.x with IOS 8.x and I do see these top 10 usage stats.

I will run those commands into the CLI and get back to you!

Re: Memory high on ASA 5520, can I find out what it is?

Andy,

Buffering does not affect that much, it can stay, but Top 10 usage does! A relaoad after disabling Top 10 usage is necessary.

Ray,

This is one of the popular reasons for high memory consumption that use IOS 8.x and ASDM 6.x. There is no specific output from Andy's previous post proves that

Regards

New Member

Re: Memory high on ASA 5520, can I find out what it is?

Do I need a reload?

I disabled them and my memory went from 329mb to 276mb instantly! Pretty good start :)

These 2 remain though, do I still need them?

threat-detection basic-threat

threat-detection statistics access-list

New Member

Re: Memory high on ASA 5520, can I find out what it is?

I wud advice u clear it then see response.

Ray

Re: Memory high on ASA 5520, can I find out what it is?

Let these two stay. basic threat detection is a new feature that comes with IOS 8.0. It checks for specific rates of traffic flows and sends syslog messages when something unusual occurs. If you like you can disable it and see if its memory usage is considerable.

A Reload may work for a lower usage.

Re: Memory high on ASA 5520, can I find out what it is?

Also you can track down the process that usees memory by

show processes memory

New Member

Re: Memory high on ASA 5520, can I find out what it is?

After a reload it is down to 258mb!

Attached is my show memory output, can you see what is high?

Many thanks

New Member

Re: Memory high on ASA 5520, can I find out what it is?

Hi,

I was just wondering if you or anyone could look at my memory process output and see what is using the memory?

I don't have the knowledge/experience to understand this output yet.

Thanks in advance for you time spent helping me out.

Re: Memory high on ASA 5520, can I find out what it is?

Oh... I have posted here something but it doesnt appear, sometimes responses do not post.

Without having any idea about your device utilization, "tmatch compile thread" consumes way too high memory in my opinion (130MB+) . Never heard of that thread before, looks like a TAC issue. Also fover_parse consumes memory (40MB+), do you have a failover configuration?

I read some bugs related to fover process in IOS 8.0.3(6). I suggest you to upgrade your IOS to 8.0.3(12) or higher.

New Member

Re: Memory high on ASA 5520, can I find out what it is?

Hi,

How do I contact TAC, I have never done this before? I have a Smartnet for this firewall.

I do have a failover ASA 5520 too in active/standby mode.

Is 256mb memory high for an ASA? I have about 12 VLAN's (sub interfaces for webservers, and a WAN for 6 offices), 10 VPN's, 30 remote users, 600 users on the inside.

Re: Memory high on ASA 5520, can I find out what it is?

This link will help you to contact TAC

http://www.cisco.com/en/US/support/tsd_contact_technical_support.html

No, 256 MB is not a high memory usage for an ASA, but 130 MB for a single process does not look right. 40MB looks reasonable for fover_parse when your ASA is in A/A failover. I also made a search on internet and have not found any valuable information about "tmatch compile thread" or a report about an abnormal memory consumption by it. You can ask TAC about that process.

Re: Memory high on ASA 5520, can I find out what it is?

Well whatever thread it is it seems to cause a lot of bugs, I can locate seven:

Bug ID Status Severity

CSCse92565

Traceback in Thread Name: tmatch compile thread after clear config all Info

Fixed 2

CSCsf25418

Traceback in Thread Name: tmatch compile after assert Info

Fixed 2

CSCsg39502

ASA 7.0.6 Traceback in tmatch compile. Info

Fixed 2

CSCsl32225

Traceback in Thread Name: Checkheaps when Simultaneous login set to 1 Info

Fixed 2

CSCso76239

Traceback on tmatch_compile_thread Info

Terminated 2

CSCsg69149

Policy NAT with large ACL and HA may traceback in tmatch compile thread Info

Fixed 2

CSCsd88914

Traceback in Thread Name: tmatch compile thread Info

Fixed 3

Regards

Farrukh

New Member

Re: Memory high on ASA 5520, can I find out what it is?

Hi, I'm on:

sh ver

Cisco Adaptive Security Appliance Software Version 8.0(3)

Device Manager Version 6.0(3)

Compiled on Tue 06-Nov-07 22:59 by builders

System image file is "disk0:/asa803-k8.bin"

Do I need to upgrade?

Re: Memory high on ASA 5520, can I find out what it is?

In my humble opinion it would be best to log a case with Cisco TAC and have them suggest you a suitable version (or any workaround) for this issue.

Regards

Farrukh

Cisco Employee

Re: Memory high on ASA 5520, can I find out what it is?

give me .."sh mem detail" output

New Member

Re: Memory high on ASA 5520, can I find out what it is?

Hi, here it is attached

Cisco Employee

Re: Memory high on ASA 5520, can I find out what it is?

Now this requires decoding of fragment sizes using TAC internal tools, please open a TAC case, call 1-800-553-2447

New Member

Re: Memory high on ASA 5520, can I find out what it is?

Hi,

TAC said the memory is not high (260mb) and sad "tmatch compile thread" is the memory process dealing wth my ACL's, so not much I can do about that.

He said I could do:

asa(config)#no threat-detection basic-threat

asa(config)#no threat-detection statistics access-list

"Please note that the bug indicates that you would need to remove "threat

detection" configuration and reboot the device in order to reclaim the

memory and this will work only if you are facing memory issues."

Thing is those 2 commands sound lke important security features, are they worth turninig off?

Also I have IPS AIM-10 yet to be turned on, will this take over anyway?

Re: Memory high on ASA 5520, can I find out what it is?

The threat detection is not really a 'critical' feature of the firewall and can be turned off. It was introduced not so long ago. Its capabilites are also pretty limited interms of analyzing attack dynamics.

There are some features/signatures with the IPS which can takeover, but there is no real integration b/w the Cisco ASA and IPS module. They are two separate entities sharing the same metal case :).

Regards

Farrukh

1659
Views
4
Helpful
23
Replies
CreatePlease to create content