PIX 515E - High Memory Utilization

Anup Sasikumar · ‎02-14-2012

Hi Experts ,

We are experiencing high memory utilization in PIX 515E firewall . It has 128MB DRAM and the average utilization stays mostly at 99% which is quite a concern now . Remote Access VPN Users are unable to connect with the following error when tried connecting

"Secure VPN Connection terminated by Peer . Reason 433 (Reason Not Specified by Peer ) "

Can it be because of the high memory utilization ?

Also note that we have Failover mechnism enabled with Primary/Secondary , Active /Standby configuration. Due to the high memory utilization we are also unable to write the configuration to memory as well . The following error shows up

------------------------------------------------

C17440-BJ08-PIX2# write memory

Building configuration...

No memory available

Error executing command

[FAILED]

-------------------------------------------------

The #show memory statistics are as given below

-------------------------------------------------

C17440-BJ08-PIX2# sh memory

Free memory: 1819856 bytes ( 1%)

Used memory: 132397872 bytes (99%)

------------- ----------------

Total memory: 134217728 bytes (100%)

C17440-BJ08-PIX2#

---------------------------------------------------

The # sh version details are as given below

---------------------------------------------------

C17440-BJ08-PIX2# sh ver

Cisco PIX Security Appliance Software Version 7.2(4)

Device Manager Version 5.2(4)

Compiled on Sun 06-Apr-08 13:39 by builders

System image file is "flash:/image.bin"

Config file at boot was "startup-config"

C17440-BJ08-PIX2 up 1 hour 39 mins

failover cluster up 1 year 49 days

Hardware: PIX-515E, 128 MB RAM, CPU Pentium II 433 MHz

Flash E28F128J3 @ 0xfff00000, 16MB

BIOS Flash AM29F400B @ 0xfffd8000, 32KB

0: Ext: Ethernet0 : address is 001d.a215.5878, irq 10

1: Ext: Ethernet1 : address is 001d.a215.5879, irq 11

Licensed features for this platform:

Maximum Physical Interfaces : 6

Maximum VLANs : 25

Inside Hosts : Unlimited

Failover : Active/Active

VPN-DES : Enabled

VPN-3DES-AES : Enabled

Cut-through Proxy : Enabled

Guards : Enabled

URL Filtering : Enabled

Security Contexts : 2

GTP/GPRS : Disabled

VPN Peers : Unlimited

This platform has an Unrestricted (UR) license.

Serial Number: 907380160

Running Activation Key: 0xf72c7fe2 0x81fb96d9 0x70dab81b 0x67d49718

Configuration last modified by enable_1 at 12:26:39.880 UTC Tue Feb 14 2012

----------------------------------------------------------------

Is it normal for the PIX to have such high memory utilization ? How I can I probably reduce the memory utilization ?How can I upgrade the memory if I need to ? What kind of a memory should I be using for upgrade ?

Please suggest

Many Thanks ,

Anup

Regards,
Anup

mvsheik123 · ‎02-14-2012

99% is definitely issue. Based on the below link, it appears 128MB is max for the failover pair. Did you check the translations (show xlate)? Try to clear the translations if this seems to be the issue. Also, try reboot and if the issue still exists, you may be hitting a bug. Try to contact TAC. Iam not sure if the support is still available for PIX, but give a try.

http://www.cisco.com/en/US/prod/collateral/vpndevc/ps5708/ps5709/ps2030/prod_bulletin0900aecd8023c8d4.html

hth

MS

Anup Sasikumar · ‎02-21-2012

Hi MS ,

A valid Service Contract for the device is required to contact TAC , right ?

Thanks ,

Anup

Regards,
Anup

Patrick0711 · ‎02-15-2012

-perform the following:

show blocks

Look for any blocks that have a low count at or near 0. The 1550 block being exhausted is indicative of your interfaces being overrun. You will likely see large 'no buffer' counters when you perform a 'show interfaces' command. If other blows show low counts near 0, you can likely pinpoint your issue from there by checking the command reference for explanations of the other blocks

-Is your NAT 0 configuration large? Poorly appied NAT 0 configurations can cause a huge amount of entries in the NAT table which can consume memory.

-Similarly, very large crypto configurations with large crypto access-list configurations can cause the security association database and the security policy database to grow very large which can also consume memory

What's your config like?

Anup Sasikumar · ‎02-21-2012

Hi Patrick ,

Can a large running congiguration with lots of IP based blocking be the cause of a memory utilization issue ?

We have provided access to external servers by adding those into an object group and then mentioning the group into an access list . Would reconfguring them based on a network or a subnet help in reducing the memory utilization . Is it someway related ?

Thanks ,

Anup

Regards,
Anup

Anup Sasikumar · ‎02-22-2012

Hi all ,

The issue is been successfully resolved now . The configuration had a huge number of network objects which was public IP based . It was all summarized to networks and the new network objects were created with summarized networks . The IP based network objects were removed from the onfiguration as well. As soon as the objects were removed the memory utilization went down and it is now at a less critical 78% .

Thanks ,

Anup

Regards,
Anup