THIS FIELD NOTICE IS PROVIDED ON AN "AS IS" BASIS AND DOES NOT IMPLY ANY KIND OF GUARANTEE OR WARRANTY, INCLUDING THE WARRANTY OF MERCHANTABILITY. YOUR USE OF THE INFORMATION ON THE FIELD NOTICE OR MATERIALS LINKED FROM THE FIELD NOTICE IS AT YOUR OWN RISK. CISCO RESERVES THE RIGHT TO CHANGE OR UPDATE THIS FIELD NOTICE AT ANY TIME.
Revision | Publish Date | Comments |
---|---|---|
1.0 |
23-Jul-21 |
Initial Release |
1.1 |
02-Sep-21 |
Updated the Products Affected and Workaround/Solution Sections |
Affected OS Type | Affected Software Product | Affected Release | Affected Release Number | Comments |
---|---|---|---|---|
NON-IOS |
Adaptive Security Appliance (ASA) Software |
9 |
9.12.2, 9.12.3, 9.12.4, 9.14.1, 9.14.2, 9.14.3, 9.15.1, 9.16.1, 9.16.1 Interim, 9.16.2, 9.8.2, 9.8.4, 9.9.2.235 |
|
NON-IOS |
Adaptive Security Appliance (ASA) Software |
Interim |
9.0.4 Interim, 9.1.7 Interim, 9.10.1 Interim, 9.12.1 Interim, 9.12.4 Interim, 9.13.1 Interim, 9.14.2 Interim, 9.14.3 Interim, 9.15.1 Interim, 9.2.4 Interim, 9.4.4 Interim, 9.6.4 Interim, 9.8.4 Interim, 9.9.2 Interim |
Defect ID | Headline |
---|---|
CSCvv71435 | ASA 256 and/or 1550 block depletion causes DMA Memory unreleased allocation |
A sustained burst of connection requests can cause the DMA memory to be overallocated for syslog messages. This might cause certain applications that rely on DMA memory to fail in the event that the security appliance runs too low on DMA memory.
This issue affects these Cisco Adaptive Security Appliance (ASA) 5500-X models that run ASA software:
When informational syslog is enabled while running a port scan through the security appliance or when the security appliance receives a sustained high rate of incoming connections, the syslog process allocates DMA memory. When the port scan completes or when the security appliance no longer receives a sustained high rate of incoming connections, the DMA memory allocated earlier is not released back and might lead to DMA memory allocation failures. Applications such as Cisco AnyConnect and SSH connections that rely on DMA memory might fail to function properly.
Note: This issue is not a security vulnerability.
In cases when AnyConnect VPN sessions or SSL connections are affected, the SETUP_BUFFERS_FAILED
counter located under SSL protocol will increment significantly when the issue occurs.
In order to check the value of the SETUP_BUFFERS_FAILED
counter, administrators can use the show counters
privileged EXEC command in the device CLI as shown in this example.
ciscoasa# show counters
Protocol Counter Value Context
*** Output continues ***
SSLERR SETUP_BUFFERS_FAILED 933 Summary
If the value of the SETUP_BUFFERS_FAILED
counter increases quickly for a sustained period of time, administrators should reconfigure the ASA per the guidance provided in the Workaround/Solution section.
Depending on the situation that you encounter, use one of these workarounds for the DMA memory allocation issue:
The most common message IDs that might create a high rate of messages are for connection creation and teardown:
%ASA-6-302013: Built {inbound|outbound} TCP connection_id for interface:real-address/real-port (mapped-address/mapped-port) [(idfw_user)] to interface:real-address/real-port (mapped-address/mapped-port) [(idfw_user)] [(user)]
%ASA-6-302014: Teardown TCP connection id for interface :real-address /real-port [(idfw_user )] to interface :real-address /real-port [(idfw_user )] duration hh:mm:ss bytes bytes [reason [from teardown-initiator]] [(user )]
In this condition, a possible rate limit configuration that is executed in global configuration mode would be:
ciscoasa(config)# logging rate-limit 1 10000 message 302013
ciscoasa(config)# logging rate-limit 1 10000 message 302014
Additional message IDs that might cause the issue include 302015, 302016, 302017, 302018, 302020, 302036, 302303, 302304, 302305, and 302306.
Refer to the "logging rate-limit" section of the Cisco ASA Series Command Reference for additional information.
In order to determine which Cisco ASA Software release is running on a device, administrators can log in to the device, use the show version
command in the CLI, and refer to the output of the command. This example shows the output of the command for a device that runs Cisco ASA Software Release 9.4(4):
ciscoasa# show version | include version
Cisco Adaptive Security Appliance Software Version 9.4(4)
Device Manager Version 7.4(1)
*** Output continues ***
If a device is managed with Cisco Adaptive Security Device Manager (ASDM), administrators can also determine which release is running on a device by referring to the release information in the table that appears in the Cisco ASDM login window or the Device Dashboard tab of the Cisco ASDM Home pane.
If you require further assistance, or if you have any further questions regarding this field notice, please contact the Cisco Systems Technical Assistance Center (TAC) by one of the following methods:
My Notifications—Set up a profile to receive email updates about reliability, safety, network security, and end-of-sale issues for the Cisco products you specify.
Unleash the Power of TAC's Virtual Assistance