Newer ASA Memory warning

[dlots]

So we have a number of 5512Xs without firepower, and some of them are running low on memory, do a show memory and see we have 2 GB of RAM, no problem, 5512Xs can handle 4 GB of ram, order some ram and it's all good.
Free memory:         370253520 bytes (17%)
Used memory:        1777230128 bytes (83%)
-------------     ------------------
Total memory:       2147483648 bytes (100%)

Do some digging, and odd, it looks like I actually have 4GB of ram, but only using 2.
Hardware:   ASA5512, 4096 MB RAM, CPU Clarkdale 2792 MHz, 1 CPU (2 cores)
            ASA: 2048 MB RAM, 1 CPU (1 core)

After more digging it turns out 2GB of the 4GB is reserved for modules... which I don't have any of, so I basically can't use it... at all.

Long story short buy a 5512X, don't use firepower, and you only have 2GB of usable memory, not the 4 they claim.

[routerdork]

Is this the same on any other models? Or maybe a link where you found out about the reservation? I'm going to be buying 8 firewalls in a couple months. There is a debate on making some of them smaller than the 5525-X and I'd really like to not run into this haha.

[dlots]

I have in a question to our Cisco rep about the 5508 (which will support up to 8GB of RAM).

I found out on a forum (https://supportforums.cisco.com/discussion/12884511/cisco-asa-5512-x-memory) how to read the show ver below.

After that I did some searching online and couldn't find anything on how to free that RAM so I called TAC and got a good engineer (Gasp!!) who filled me in on the the fact that the RAM is reserved and can't be freed up.

The ressources (memory and CPU-cores) are split between the ASA itself and the security-module. On the first line you see how many resources are totally available. On the second line you see haw many resources are reserved for the ASA. The rest is for the module.

Code Select Expand


Hardware:   ASA5512, 4096 MB RAM, CPU Clarkdale 2792 MHz, 1 CPU (2 cores)
            ASA: 2048 MB RAM, 1 CPU (1 core)


[routerdork]

Interesting. I see the same thing, of course with scale, on our 5525-X.

Code Select Expand

Hardware:   ASA5525, 8192 MB RAM, CPU Lynnfield 2394 MHz, 1 CPU (4 cores)
            ASA: 4096 MB RAM, 1 CPU (1 core)

[deanwebb]

Wow.. that's not really evident on the spec sheet.

[dlots]

I never did find anything about it on Cisco's website outside of their forums

[dlots]

Finding creative ways to get my memory down

object-group network net-blah
description All blah Networks
network-object 10.0.55.48 255.0.255.112

... yeah, I went there

[wintermute000]

thats hilarious. So to confirm I'm reading this right: if you buy an ASA55xx-X, half the RAM is reserved for firepower, even if you're not using it?
its almost like they're not even trying anymore.....

[GeorgeS]

was not aware of it, but you will see the same behavior in ASR

[Reggle]

was not aware of it, but you will see the same behavior in ASR

Wait, what?

ASR doesn't have Firepower, so why reserve half the RAM? Again for modules?

[GeorgeS]

it has nothing to do with the firepower in that case, but in cisco routers they use the shared and the main process memory , i cannot find it in my notes but if i remember correct in ASR u need approx 500mb of ram just for the IOS!
In every router you will see that behavior more or less but i have never seen something like the ASA with firepower !  But again in a  router u do not care about the ram but the incoming/outgoing throughput of the device as you will find in many cases that even though you are not over utilizing the line you have drops and that has to do with how much throughput the device can process ( i speak for big boxes with multiple interfaces). We are moving to different topic now but still is a similar sneaky/tricky tactic from cisco.

[dlots]

I wonder if that RAM isn't being reserved for the modal but for the OS to run, then all the extra ASA stuff (ACLs, connections, etc) are running in the 2GB that shows up in show ver.

[Dieselboy]

Just had a look at my ASA5515X and it says this under show ver:

Hardware:   ASA5515, 8192 MB RAM, CPU Clarkdale 3058 MHz, 1 CPU (4 cores)
            ASA: 4096 MB RAM, 1 CPU (1 core)

So looks like the chassis has 8GB ram but the ASA has 4GB.

So I did a show mem:

CIN-5515# show mem
Free memory:        3448950711 bytes (80%)
Used memory:         846016585 bytes (20%)
-------------     ------------------
Total memory:       4294967296 bytes (100%)

I can't remember exactly but when I specc'ed out our ASA's for our 40 person company, the 5515X was the minimum for us.
I still haven't paid for these units, had them almost 2 years now.. Although it is being sorted and I've had some additional costs approved for Firepower. Hope to get that soon.

[Dieselboy]

thats hilarious. So to confirm I'm reading this right: if you buy an ASA55xx-X, half the RAM is reserved for firepower, even if you're not using it?
its almost like they're not even trying anymore.....

I think this is more like, you buy a new Cisco hardware unit with more than 1 CPU core, but the device only uses 1 of those CPUs for it's main function. Like a 2921 ISR comes with dual core CPUs but the router only uses 1 CPU, and the other CPU is reserved for the ISM. Except in this case it's RAM.
Just spent the last 15 minutes trying to navigate to the ASA5515x page on Cisco.com to see the information, and I've not been able to find the page. I can get to the security firewall area, but can't find the specific specifications page for the ASA5515x. Given up.

I also don't recall reading that 8GB RAM for the chassis means 1/2 for the ASA itself. I have the module in ours for firepower already. I gathered that module has it's own CPU and RAM and uses the SSD  for storage. I still think that is true but where does the chassis ram go to if that is true.

[routerdork]

Except in this case it's RAM.

Looking closer at those outputs it's also CPU. 4 cores but the ASA only gets 1.