Field Notice: FN - 72212 - ASA 5500-X - Sustained Burst Of Connection Requests Might Cause Overallocation Of DMA Memory - Workaround Provided
Available Languages
Notice
THIS FIELD NOTICE IS PROVIDED ON AN "AS IS" BASIS AND DOES NOT IMPLY ANY KIND OF GUARANTEE OR WARRANTY, INCLUDING THE WARRANTY OF MERCHANTABILITY. YOUR USE OF THE INFORMATION ON THE FIELD NOTICE OR MATERIALS LINKED FROM THE FIELD NOTICE IS AT YOUR OWN RISK. CISCO RESERVES THE RIGHT TO CHANGE OR UPDATE THIS FIELD NOTICE AT ANY TIME.
Revision History
| Revision | Publish Date | Comments |
|---|---|---|
1.0 |
23-Jul-21 |
Initial Release |
1.1 |
02-Sep-21 |
Updated the Products Affected and Workaround/Solution Sections |
Products Affected
| Affected OS Type | Affected Software Product | Affected Release | Affected Release Number | Comments |
|---|---|---|---|---|
NON-IOS |
Adaptive Security Appliance (ASA) Software |
9 |
9.12.2, 9.12.3, 9.12.4, 9.14.1, 9.14.2, 9.14.3, 9.15.1, 9.16.1, 9.16.1 Interim, 9.16.2, 9.8.2, 9.8.4, 9.9.2.235 |
|
NON-IOS |
Adaptive Security Appliance (ASA) Software |
Interim |
9.0.4 Interim, 9.1.7 Interim, 9.10.1 Interim, 9.12.1 Interim, 9.12.4 Interim, 9.13.1 Interim, 9.14.2 Interim, 9.14.3 Interim, 9.15.1 Interim, 9.2.4 Interim, 9.4.4 Interim, 9.6.4 Interim, 9.8.4 Interim, 9.9.2 Interim |
Defect Information
| Defect ID | Headline |
|---|---|
| CSCvv71435 | ASA 256 and/or 1550 block depletion causes DMA Memory unreleased allocation |
Problem Description
A sustained burst of connection requests can cause the DMA memory to be overallocated for syslog messages. This might cause certain applications that rely on DMA memory to fail in the event that the security appliance runs too low on DMA memory.
This issue affects these Cisco Adaptive Security Appliance (ASA) 5500-X models that run ASA software:
- ASA 5506-X
- ASA 5506H-X
- ASA 5506W-X
- ASA 5508-X
- ASA 5512-X
- ASA 5515-X
- ASA 5516-X
- ASA 5525-X
- ASA 5545-X
- ASA 5555-X
- ASA 5585-X
Background
When informational syslog is enabled while running a port scan through the security appliance or when the security appliance receives a sustained high rate of incoming connections, the syslog process allocates DMA memory. When the port scan completes or when the security appliance no longer receives a sustained high rate of incoming connections, the DMA memory allocated earlier is not released back and might lead to DMA memory allocation failures. Applications such as Cisco AnyConnect and SSH connections that rely on DMA memory might fail to function properly.
Note: This issue is not a security vulnerability.
Problem Symptom
In cases when AnyConnect VPN sessions or SSL connections are affected, the SETUP_BUFFERS_FAILED counter located under SSL protocol will increment significantly when the issue occurs.
In order to check the value of the SETUP_BUFFERS_FAILED counter, administrators can use the show counters privileged EXEC command in the device CLI as shown in this example.
ciscoasa# show counters
Protocol Counter Value Context
*** Output continues ***
SSLERR SETUP_BUFFERS_FAILED 933 Summary
If the value of the SETUP_BUFFERS_FAILED counter increases quickly for a sustained period of time, administrators should reconfigure the ASA per the guidance provided in the Workaround/Solution section.
Workaround/Solution
Depending on the situation that you encounter, use one of these workarounds for the DMA memory allocation issue:
- Rate-limit the syslog message IDs that are generated at a higher rate when the security appliance is under a port scan run or when the security appliance receives a high rate of incoming connections for a sustained period of time.
The most common message IDs that might create a high rate of messages are for connection creation and teardown:
%ASA-6-302013: Built {inbound|outbound} TCP connection_id for interface:real-address/real-port (mapped-address/mapped-port) [(idfw_user)] to interface:real-address/real-port (mapped-address/mapped-port) [(idfw_user)] [(user)]
%ASA-6-302014: Teardown TCP connection id for interface :real-address /real-port [(idfw_user )] to interface :real-address /real-port [(idfw_user )] duration hh:mm:ss bytes bytes [reason [from teardown-initiator]] [(user )]In this condition, a possible rate limit configuration that is executed in global configuration mode would be:
ciscoasa(config)# logging rate-limit 1 10000 message 302013 ciscoasa(config)# logging rate-limit 1 10000 message 302014Additional message IDs that might cause the issue include 302015, 302016, 302017, 302018, 302020, 302036, 302303, 302304, 302305, and 302306.
Refer to the "logging rate-limit" section of the Cisco ASA Series Command Reference for additional information.
- Disable the logging of syslog message IDs that are generated at a higher rate. The device can also be reloaded to release the DMA memory overallocated by the logging of syslog messages.
How To Identify Affected Products
In order to determine which Cisco ASA Software release is running on a device, administrators can log in to the device, use the show version command in the CLI, and refer to the output of the command. This example shows the output of the command for a device that runs Cisco ASA Software Release 9.4(4):
ciscoasa# show version | include version
Cisco Adaptive Security Appliance Software Version 9.4(4)
Device Manager Version 7.4(1)
*** Output continues ***
If a device is managed with Cisco Adaptive Security Device Manager (ASDM), administrators can also determine which release is running on a device by referring to the release information in the table that appears in the Cisco ASDM login window or the Device Dashboard tab of the Cisco ASDM Home pane.
For More Information
If you require further assistance, or if you have any further questions regarding this field notice, please contact the Cisco Systems Technical Assistance Center (TAC) by one of the following methods:
Receive Email Notification For New Field Notices
My Notifications—Set up a profile to receive email updates about reliability, safety, network security, and end-of-sale issues for the Cisco products you specify.
Feedback
Unleash the Power of TAC's Virtual Assistance