Cisco Firewall :: ASA 5520 / Crypto Errors CTM ERROR / Failed To Allocate X Bytes Of Memory
Oct 9, 2012
I am currently getting a strange error when trying to use and crypto services on our ASA 5520 (8.0.3)Initially I observed that a connected VPN had dropped.Then when I attempted to use ASDM or SSH I was blocked.
In the end I opened telnet as a test and this was successful. Syslog also shows that traffic is passing as normal.The only obvious error I can see when observing various debug traces is this;
FW02# CTM: rsa session with no priority allocated @ 0xCF1FBBA0
CTM: Session 0xCF1FBBA0 uses a nlite (Nitrox Lite) as its hardware engine
CTM: rsa context allocated for session 0xCF1FBBA0
CTM: rsa session with no priority allocated @ 0xCE7A5EA8
I got an asa5510. After problems with ipsec connections the log said :
LU allocate xlate failed this error repeats every minute. At the cisco site i found the following :
explantion : stateful failover failed to allocate a translation (xlate) slot record recommended Action : check the available memory by using the show memory command to make sure that the security appliance had free memory in the system. If no memory is available, add more memory
we have two ASA 5520, on the failover unit is showing LU allocate xlate failed. We read on [URL] that it could be a memory problem , but have cheked it and we have 85% of memory free on both nodes. We also can see all xlate on failover unit.
We have forced failover this evenig and we can´t stablish outbound connexions by outside interface, we think xlates or nat cant work properly.
I am running IOS version 8.0(5) in cisco ASA 5520. This issue i am facing is that when the memory utilzation reaches 49 percent, the web-vpn users are not able to login as they are getting a blank page. The only error which is getting in the output " sh mem webvpn allobjects" is ERROR: Memory allocation failed?
We have a Cisco 881 router, which is crashing. We have seen that the ARP cache fills up so much it causes things to crash, our phones go down.. We dont know why this however IP CEF seems to be doing it, when we disable it goes away however disabling IP CEF causes our L2TP tunnel to become inoperable also. So why does IP CEF cause thousands of AR entries and how can we limit that!? Below is the error, sample of the ARP cache and our config. You will notice we also have a /31 given to us on WAN interface, this was given to us by our service provider. This is really strange I cant find other examples on internet.
The error:
Nov 1 04:21:57.474: %SYS-2-MALLOCFAIL: Memory allocation of 65536 bytes failed from 0x81F083F4, alignment 16 Pool: Processor Free: 55176 Cause: Not enough free memory Alternate Pool: I/O Free: 2352 Cause: Not enough free memory
We just had an issue with our failover unit reloading. In perusing the logs there were a number of %ASA-3-210007: LU allocate x late failed, errors prior to the reload. These units had just had their OS upgraded to fix a DOS issue a few weeks ago. I have not seen the error since it reloaded. However, I was asked to report the issue just in case it is a bug in the new version of the OS.Two units in failover.
Cisco Adaptive Security Appliance Software Version 8.0(5)9 Device Manager Version 6.0(2). Compiled on Mon 01-Feb-10 10:36 by buildersSystem image file is
"disk0:/asa805-9-k8.bin"Config file at boot was "startup-config" CP-ASA up 17 days 21 hoursfailover cluster up 17 days 22 hours [code]....
I'm having a problem with the memory and also trying to create some rules on the CISCO ASA. The version that I got installed was the 8.2.5.33 on a CISCO 5520 with 512 RAM, the memory usage is on 99% used, 1% free and because of that when I'm trying to create a new rule the firewall brings me the next error..So what I did was a downgrade to the version 8.2 (4) 4 and the memory went down a little (82% used, 18% free) but I still got the error when I'm creating an access rule on the device. One thing and I'm not sure if this could affect on the performance are the number of access list and the object groups that are created.
I already open a case with CISCO TAC and they are checking if the problem is with the memory capacity or maybe a memory leak.Also the doubt that I got is with the memory that I got now available should I can create access rules or 82 is still to hig to create a rule or and object group?
We saw this syslog on ASA5585 with version 8.4(1). I have two HA firewall pairs (contains 4 ASA5585, active/standby), and I saw this message on the standby ones.
Jun 7 07:36:26 10.99.96.32 last message repeated 4 times Jun 7 07:36:26 10.99.96.32 :Jun 07 07:36:26 HKST: %ASA-ha-3-210005: LU allocate connection failed
Customer is running ASA 5550 with software 8.2.5 version.
They continously get the below messages
%ASA-3-210005: LU allocate connection failed %ASA-3-210007: LU allocate xlate failed
I have already searched in the forums and also BUG toolkit, These issue has either been resolved in prior relases or in 8.4 .x train. I didnt find any bug which says that it has been found in 8.2.5 release.
I have also run "show conn count" and "show xlate count" I see these is difference in count output.
From Standby
COGINBLRMBPB1INTF1# show conn count 6097 in use, 17220 most used COGINBLRMBPB1INTF1# sh xlate count
- almost all other online applications work just fine (including voice over ip and games) What I've tried (without any success):
1.) I could connect in either case using my old laptop! Thus it works on a different computer, from the same network, at the same/similar time. Thus I concluded it must be somehow related to this laptop (its a new laptop).
2.) The TS2 server & entered information is 100% working, same applies to torchlight2 - also latest updates installed and of course the game is totally legal.
3.) Windows firewall: all the mentioned programs are on the allowed list. Also check whether its correctly set to "home network". Futhermore I also tried disabling the windows firewall entirely.
4.) No other firewall program in use.
5.) Check all programs I know of which might be related to network traffic (e.g. Qualcomm Atheros Killer Network Manager - disabled it).
6.) Tried both, wireless and ethernet cable connection.
7.) I even tried running the game, torchlight 2, via Tunngle (explained in a layman's words: a program that simulates Lan over the internet).
Some Information about my system:Its a new laptop. Network card is labled as "Killer e2200 PCI-E Gigabit Ethernet Controller.Runs Windows 7 and did start out empty: i.e. I installed every single program running on the machine and as far as I know none of them should have anything to do with network. Virus scanner is the lastest version of AVG free (no firewall included).
I was looking at my CISCO ASA 5520 and i found something really strange
ciscoasa/VPN-context# sh mem detail Used memory: 4259249568 bytes (793%) ------------- ---------------- Total memory: 536870912 bytes (100%)
but when I look at the system context this is what I see
ciscoasa# sh mem Free memory: 170829000 bytes (32%) Used memory: 366041912 bytes (68%) ------------- ---------------- Total memory: 536870912 bytes (100%)
As far as I know the ASA is working good.
Info of the device Hardware: ASA5520, 512 MB RAM, CPU Pentium 4 Celeron 2000 MHz Internal ATA Compact Flash, 256MB BIOS Flash M50FW080 @ 0xffe00000, 1024KB
i just noticed that im getting some alloc memory errors with a flexwan card i have on a cisco 6513 on slot 5/1, however i can't seem to figure out how to get more information on this and if the issue is related to the flexwan module or the DS3 card itself. Not really sure how to view memory stats/errors for a particular flexwan card on the 6500 platform. The 6500 has been up for a long time and rebooting it might work but i wanted to know what should be done before i reboot the 6500.
The entire "incoming log table" is just full of this! It's all the same! This is on the current firmware 4.0.4.02Sep 20 12:49:35 2011KernelOut of memory: Killed process 5385 (iptables). Sep 20 12:49:39 2011KernelOut of Memory: Kill process 5387 (iptables) score 591 and children. Sep 20 12:49:39 2011KernelOut of memory: Killed process 5387 (iptables). Sep 20 12:49:43 2011KernelOut of Memory: Kill process 5389 (iptables) score 591 and children. Sep 20 12:49:43 2011KernelOut of memory: Killed process 5389 (iptables). Sep 20 12:49:48 2011KernelOut of Memory: Kill process 5391 (iptables) score 591 and children. I see no one has a clue. Anyway, added a copy of the log file. It's just streaming out errors. Serious bug in the new firmware.
I have new ASA 5520 from the box and i have configured already int g0/1 with ip 10.15.14.5 255.255.255.0 nameif inside kindly see details below the config
i just received a RMA for failed ASA 5520 that was acting as secondary unit in multicontext configuration. What would be correct procedure to install it back in production? Do i need to restore backed up config of the fallen unit or is it just enough to enable multimode and connect to existing (primary) unit? Any good link for documentation that deal with this issues.
I am having Cisco 3845 series router with c3900-universalk9-mz.SPA.151-4.M2.bin IOS . I want to install new Licence on it for DATA. When i am trying to install licence on it i am facing the error "% Error: License installation failed with error: XML parsing failed".
I am trying to configure Crypto PKI in ciscio 2911, Once i configured the root certificate for the router , i can see the validity date wrongly but the same certificate is fine in the other devices . [code]e when i am trying to configure the local certificate.
we have a L2L-VPN-Tunnel beetween our Headquarter (ASA5520 with Network 10.100.1.0) and a branch office (Cisco1841 with network 10.100.10.0 ). This works fine for years, but now we wish to change the configuration so that ALL traffic from the branch office goes over the vpn-tunnel. My question: How I have to change the crypto acl to reach this. Below the relevant parts of the branch route.
We started getting the below syslog messages from one of our ASA5520 which was recently upgraded to 8.4(2). Any bugs on 8.4(2) that cause this or its simply the RAM failure?
%ASA-3-105010: (Primary) Failover message block alloc failed %ASA-3-321007: System is low on free memory blocks of size 1550 (0 CNT out of 18709 MAX)
Recently i atsrt having problems with my cisco router 1811/k9, apparently was booting continiosly when restarted.
After i connected my console i found the problem while booting:
DDR memory test failed. Resetting the router ...
I tried to contact cisco TAC, but i need a reseller contract number to place a ticket, i do not have a resller contract number as my router was bought more than two years ago. I called cisco support and they told me to contact my reseller, my reseller told me to contact cisco so i am in a eternal loop of forwarding phone calls...
I have configured the primary firewall every thing seem to be fine, And we have configured fail over device while config is getting replicated to the fail over device we are getting below error.
ERROR: Cannot add policy to rule engine ERROR: Unable to assign access-list LAN_out to interface inside
IOS and Model are same.But all the config got replicated from primary to secondary but except the one access group command.
When trying to access the asa (8.0(3)) with asdm the console send follwing error message:
vPif_isVpifNumValid: pifNum out of range! vPif_getVpif: bad vPifNum(0xa6) from 87EBC81 from 83833B4
Have a strong suspicion that it is a hardware failure (since asdm has worked and have tried to restart the box) can not see any errors with any show commands, but could it be a RAM error .
We recently installed Cisco 6509-E with dual Sup 720-BXL. We are using this switch on internet Edge. Internet connection is terminating on 10GIG fiber port.We do have following line cards installed.
We do have 2 GB internet pipe.We are running load test sending http port 80 request and when load reach to arround 100 to 200 mbps and connections from out side to inside 80,000 switch start reponding very very slow and start packet loss and when I try to ping from one server to second server it show normal ping but if I tried to ping gateway IP of server which is SWITCH IP it show packet loss and very high letancy.
Switch also throw message "No memory available: Update of NVRAM configuration failed"
How to allocate bandwidth for a certain host or service in Cisco ASA 5510 Firewall using ASDM? For instance, I would like to dedicate 2MB for H323 service (Video Conference Call).
I need to count the bytes for some interesting traffic crossing the firewall in ASA 5500. Packet Capture is so far as I need, cause I only need the number of bytes during a long time for about 3 months (source host - destination host)
capture capin type raw-data access-list cap buffer 33554432 interface inside circular-buffer [Capturing - 33553570 bytes]
I need to get only the exactly amount of "33553570 bytes" The pcap file is not needed
As soon as I connected my ASR 1002s to the Internet and digested the Internet BGP table, I began receiving this message. I’ve google’d and turned up nothing so far. I assume I need to allocate more memory to this process.
l have some problems when l try to access to the switch by telnet or ssh, by the console port , the switch show me the next message:l need restart the switch in order to access it again.
Nov 16 13:23:21.355: %SYSTEM_CONTROLLER-3-MORE_COR_ERR: 255 correctable DRAM memory errors in previous hour Nov 16 13:23:21.355: %SYSTEM_CONTROLLER-3-COR_MEM_ERR: Correctable DRAM memory error. Count 623, log 8053C830 Nov 16 14:23:21.340: %SYSTEM_CONTROLLER-3-MORE_COR_ERR: 255 correctable DRAM memory errors in previous hour Nov 16 14:23:21.340: %SYSTEM_CONTROLLER-3-COR_MEM_ERR: Correctable DRAM memory error. Count 879, log 8053C810
error on switch console every hour.
ios version : Cisco IOS Software, s72033_rp Software (s72033_rp-ADVIPSERVICESK9_WAN-M), Version 12.2(33)SXJ1, RELEASE SOFTWARE (fc2)
I'm trying to connect my new Dell Dimension 8400 (3.0Ghz/512Mb/XPsp1) to my home wireless network. I installed two diiferent PCI adapter cards in my one available PCI slot -- an older D-Link (11b) and a brand new Netgear (11g) (which Dell Sales assured me is compatible). Both cards detected my Netgear wireless router and provided an excellent internet connection, so I'm assuming they were seated properly. The problem is that every time I shut down the system I get the blue screen of death with the following message:
-Hardware Malfunction -NMI: Parity Check/Memory Parity Error -The System has halted
The system runs and shuts down perfectly when the PCI cards are removed. D-Link and Netgear Support technicians told me I have to contact Dell, but Dell Support doesn't seem to have an answer for me. Which wireless PCI adapter cards are truly compatible with Dell hardware?