Cisco Support Community
cancel
Showing results for 
Search instead for 
Did you mean: 
Announcements
Step-by-Step Configuration and Troubleshooting Best Practices for the NGFW, NGIPS and AMP Technologies A Visual Guide to the Cisco Firepower Threat Defense (FTD)
Community Member

Pix 515E memory running out

We have 2 PIX 515E's, and all of a sudden the memory has begun to run out very fast. According to the Cisco website, the RAM on the PIX should not change much, if any at all.

We have tried all possible means to ensure there is no DoS being carried out. Are there any further steps we can take to look into this matter?

One of the firewalls memory takes about 24 hours to run out, and then we have to perform a reload to reduce its memory. The other one seems to be stable at present, but when it starts to misbehave, it also requires a reboot every 2-3 days.

Any ideas welcome

Thanks

Ali

2 ACCEPTED SOLUTIONS

Accepted Solutions
Cisco Employee

Re: Pix 515E memory running out

put the commands in this order

cl local

timeout uauth 0:05:0

timeout conn 1:0:0

timeout xlate 3:0:0

Cisco Employee

Re: Pix 515E memory running out

These are the default settings which you should have in your firewall, I can see even UDP timeout value not correct..set the following timeout value

ASA(config)# sh run timeout

timeout xlate 3:00:00

timeout conn 1:00:00 half-closed 0:10:00 udp 0:02:00 icmp 0:00:02

timeout sunrpc 0:10:00 h323 0:05:00 h225 1:00:00 mgcp 0:05:00 mgcp-pat 0:05:00

timeout sip 0:30:00 sip_media 0:02:00 sip-invite 0:03:00 sip-disconnect 0:02:00

timeout uauth 0:05:00 absolute

16 REPLIES
Cisco Employee

Re: Pix 515E memory running out

get me,

sh conn count

sh conn detail

sh version

sh xlate count

Community Member

Re: Pix 515E memory running out

.

Community Member

Re: Pix 515E memory running out

sh conn count = 13497 in use, 13589 most used

The conn count is always rising, so in a few hours time, it will be higher than the above.

Cisco PIX Security Appliance Software Versio

Device Manager Version 5.0(1)

Compiled on Thu 31-Mar-05 14:37 by builders

System image file is "flash:/image"

Config file at boot was "startup-config"

smb-fw2 up 10 hours 58 mins

Hardware: PIX-515E, 64 MB RAM, CPU Pentium

Flash E28F128J3 @ 0xfff00000, 16MB

BIOS Flash AM29F400B @ 0xfffd8000, 32KB

0: Ext: Ethernet0 : media index

1: Ext: Ethernet1 : media index

Licensed features for this platform:

Maximum Physical Interfaces : 3

Maximum VLANs : 10

Inside Hosts : Unlimited

Failover : Disabled

VPN-DES : Enabled

VPN-3DES-AES : Enabled

Cut-through Proxy : Enabled

Guards : Enabled

URL Filtering : Enabled

Security Contexts : 0

GTP/GPRS : Disabled

VPN Peers : Unlimited

This platform has a Restricted (R) license.

xlate count = 47 in use, 47 most used

Do you want all of "sh conn detail" ?

Also is it safe to bump up the RAM in a PIX similar to the above to say 192MB ? will this have any side effects ?

Thanks

Ali

Cisco Employee

Re: Pix 515E memory running out

13497 in use?? how many users were connected at this time..do you think there these many connections are valid ?

moreover you running code 7.x , I would suggest you to go up to 128 MB RAM

Community Member

Re: Pix 515E memory running out

Its hard to say how many users, as we host quite a few servers, but the number 13497 is beyond what we expect.

Thats what we think is causing the memory to run out. The total number of connections is rising but not dropping when connections are dropped, hence using up our memory.

Yes we have 7.x, can i assume its ok on our restricted licence to stick in 128MB RAM ?

Any ideas on how to drop the number of connections ? At present "sh conn count" is 17703 in use, 17743 most used !!

Thanks for your help.

Ali

Cisco Employee

Re: Pix 515E memory running out

hmm..get me the following :-

1)exact version ?

2)sh run timeout

3)sh conn

3)sh conn detail (not the entire , but few lines that shows me the idle connections lying there)

Community Member

Re: Pix 515E memory running out

Version : 7.0(1)

sh run timeout :

timeout xlate 999:59:59

timeout conn 99:59:59 half-closed 99:59:59 udp 99:02:00 icmp 0:00:02

timeout sunrpc 99:10:00 h323 999:59:59 h225 999:59:59 mgcp 0:05:00

timeout mgcp-pat 0:05:00 sip 99:59:59 sip_media 0:02:00

timeout uauth 99:05:00 absolute

sh conn :

TCP out aa.bb.cc.dd:25663 in server1:25 idle 2:44:57 bytes 114 flags UfrOB

UDP out aa.bb.cc.dd:4623 in server1:53 idle 10:30:15 flags -

UDP out aa.bb.cc.dd:4600 in server1:53 idle 10:30:17 flags -

UDP out aa.bb.cc.dd:4561 in server1:53 idle 10:30:19 flags -

UDP out aa.bb.cc.dd:4530 in server1:53 idle 10:30:20 flags -

UDP out aa.bb.cc.dd:4498 in server1:53 idle 10:30:22 flags -

UDP out aa.bb.cc.dd:4463 in server1:53 idle 10:30:24 flags -

UDP out aa.bb.cc.dd:20462 in server1:53 idle 11:19:49 flags -

TCP out aa.bb.cc.dd:60039 in server2:143 idle 11:02:43 bytes 2752 flags UfIOB

TCP out aa.bb.cc.dd:60034 in server2:143 idle 11:02:42 bytes 9082 flags UfIOB

TCP out aa.bb.cc.dd:3241 in server3:25 idle 5:53:57 bytes 769 flags UfIOB

TCP out aa.bb.cc.dd:30062 in server5:80 idle 3:31:53 bytes 10868 flags UfIOB

TCP out aa.bb.cc.dd:30061 in server5:80 idle 3:33:32 bytes 4706 flags UfIOB

TCP out aa.bb.cc.dd:30060 in server5:80 idle 3:33:31 bytes 7458 flags UfIOB

TCP out aa.bb.cc.dd:30055 in server5:80 idle 3:33:26 bytes 16249 flags UfIOB

TCP out aa.bb.cc.dd:30054 in server5:80 idle 3:33:30 bytes 8498 flags UfIOB

where aa.bb.cc.dd are various IP addresses and serverX relates to servers behind the firewall

Thanks Ashish

Cisco Employee

Re: Pix 515E memory running out

I got it..you have idle conn timeout/xlate timeout set as 999 hours and 99 hrs,not recommened at all, which is causing the stale idle connections to eat up the memory..

so put these commands in

clear loc

timeout conn 1:0:0

timeout xlate 3:0:0

PS:- Please rate all the posts if they were helpful, so that others could refer to this

Community Member

Re: Pix 515E memory running out

I put the commands in and got the following error:

xlate timeout 3:00:00 cannot be les than the uauth timeout 99:05:00

Usage: timeout [xlate:conn:udp:icmp:sunrpc:h323:mgcp:sip:sip_media:uauth [...]]

Also just for my info - what does "clear loc" do?

What about the timeouts for the rest of the things such as UDP etc ?/

I will certainly rate all your posts, you have been very helpful. Thanks again

Ali

Cisco Employee

Re: Pix 515E memory running out

put the commands in this order

cl local

timeout uauth 0:05:0

timeout conn 1:0:0

timeout xlate 3:0:0

Community Member

Re: Pix 515E memory running out

sh run timeout now shows as follows:

timeout xlate 3:00:00

timeout conn 1:00:00 half-closed 99:59:59 udp 99:02:00 icmp 0:00:02

timeout sunrpc 99:10:00 h323 999:59:59 h225 999:59:59 mgcp 0:05:00

timeout mgcp-pat 0:05:00 sip 99:59:59 sip_media 0:02:00

timeout uauth 0:05:00 absolute

Can you please advise if the rest of the parameters are set ok ? Also in ASDM the "Connection" check box is NOT ticked under Configuration-> Features -> Properties -> Advanced -> Timeouts. Should this be the case ? the time is greyed out at 01:00:00.

you have been very helpful, i would highly appreciate if you can answer the above questions. Otherwise i think you have resolved my case, for which i am very grateful to you.

Thanks

Ali

Cisco Employee

Re: Pix 515E memory running out

These are the default settings which you should have in your firewall, I can see even UDP timeout value not correct..set the following timeout value

ASA(config)# sh run timeout

timeout xlate 3:00:00

timeout conn 1:00:00 half-closed 0:10:00 udp 0:02:00 icmp 0:00:02

timeout sunrpc 0:10:00 h323 0:05:00 h225 1:00:00 mgcp 0:05:00 mgcp-pat 0:05:00

timeout sip 0:30:00 sip_media 0:02:00 sip-invite 0:03:00 sip-disconnect 0:02:00

timeout uauth 0:05:00 absolute

Community Member

Re: Pix 515E memory running out

OK I have done that now, and the firewall looks much healthier now. All the check boxes in ASDM are clear (ie un ticked) in "Timeout" settings - should this be the case ?

Sorry this is my final question and then i will close the case at my end. I would appreciate your response to this.

Thanks

Ali

Cisco Employee

Re: Pix 515E memory running out

All the check boxes in ASDM are clear (ie un ticked) in "Timeout" settings - should this be the case ?

--yes

Community Member

Re: Pix 515E memory running out

Hey Ashish

Thank you so much for solving my case, i really appreciate your dedication and enthusiasm on this case.

All the best

Regards,

Ali

Cisco Employee

Re: Pix 515E memory running out

np

363
Views
24
Helpful
16
Replies
CreatePlease to create content