Guest

Preview Tool

Cisco Bug: CSCvi85382 - ASA5515 Low DMA memory when ASA-IC-6GE-SFP-A module is installed

Last Modified

Oct 02, 2018

Products (1)

  • Cisco ASA 5500-X Series Firewalls

Known Affected Releases

9.6(4.5) 9.6(4.6) 9.7(1.16) 9.8(1.7) 9.8(2.26) 9.9(1.4)

Description (partial)

Symptom:
Low amount of free DMA memory on ASA5515 when an ASA-IC-6GE-SFP-A module is installed.

Without module above installed on the ASA the amount of available DMA memory is around:

Show memory detail:

MEMPOOL_DMA POOL STATS:
Non-mmapped bytes allocated =    318767104
Number of free chunks       =          159
Number of mmapped regions   =            0
Mmapped bytes allocated     =            0
Max memory footprint        =    318767104
Keepcost                    =     51296016
Max contiguous free mem     =     51296016
Allocated memory in use     =    267395808
Free memory                 =     51371296

With module installed the free DMA memory reduces considerably to:

MEMPOOL_DMA POOL STATS:
Non-mmapped bytes allocated =    310378496
Number of free chunks       =          158
Number of mmapped regions   =            0
Mmapped bytes allocated     =            0
Max memory footprint        =    310378496
Keepcost                    =         1824
Max contiguous free mem     =         1824
Allocated memory in use     =    310303664
Free memory                 =        74832

In case free DMA memory is below 80KB, ASA will reject incoming management connections such as SSH and HTTPs.

Following messaged may be displayed when on of those are attempted:

> For SSH ("debug ssh 255"):
%ASA-3-315004: Fail to establish SSH session because RSA host key retrieval failed.

or 

SSH2 0: Derive DH key operation failed.
SSH2 0: DH shared secret computation failed, status 255
SSH2 0: key exchange failed to completeSSH1: Session disconnected by SSH server - error 0x00 "Internal error"

or 

SSH2 0: RSA signature generation failed, status 255
SSH2 0: signature creation failed
SSH2 0: key exchange failed to completeSSH0: Session disconnected by SSH server - error 0x00 "Internal error"


> For HTTPS/ASDM ("debug http 255/debug ssl 255"):

error:140BA041:SSL routines:SSL_new:malloc failure@ssl_lib.c:455

or 

error:14076FA2:SSL routines:SSL23_GET_CLIENT_HELLO:setup buffers failed@s23_srvr.c:284
error:1409C041:SSL routines:ssl3_setup_read_buffer:malloc failure@s3_both.c:935
error:14076FA2:SSL routines:SSL23_GET_CLIENT_HELLO:setup buffers failed@s23_srvr.c:284
error:1409C041:SSL routines:ssl3_setup_read_buffer:malloc failure@s3_both.c:935
error:14076FA2:SSL routines:SSL23_GET_CLIENT_HELLO:setup buffers failed@s23_srvr.c:284
HTTP: Periodic admin session check  (idle-timeout = 1200, session-timeout = 0)

Conditions:
ASA5515 with module ASA-IC-6GE-SFP-A running releases such as: 
9.6.4.5
9.7.1.16
9.8.1.7
9.8.2.26
9.9.1.4
Bug details contain sensitive information and therefore require a Cisco.com account to be viewed.

Bug Details Include

  • Full Description (including symptoms, conditions and workarounds)
  • Status
  • Severity
  • Known Fixed Releases
  • Related Community Discussions
  • Number of Related Support Cases
Bug information is viewable for customers and partners who have a service contract. Registered users can view up to 200 bugs per month without a service contract.