So we have a number of 5512Xs without firepower, and some of them are running low on memory, do a show memory and see we have 2 GB of RAM, no problem, 5512Xs can handle 4 GB of ram, order some ram and it's all good.
Free memory: 370253520 bytes (17%)
Used memory: 1777230128 bytes (83%)
------------- ------------------
Total memory: 2147483648 bytes (100%)
Do some digging, and odd, it looks like I actually have 4GB of ram, but only using 2.
Hardware: ASA5512, 4096 MB RAM, CPU Clarkdale 2792 MHz, 1 CPU (2 cores)
ASA: 2048 MB RAM, 1 CPU (1 core)
After more digging it turns out 2GB of the 4GB is reserved for modules... which I don't have any of, so I basically can't use it... at all.
Long story short buy a 5512X, don't use firepower, and you only have 2GB of usable memory, not the 4 they claim.
Is this the same on any other models? Or maybe a link where you found out about the reservation? I'm going to be buying 8 firewalls in a couple months. There is a debate on making some of them smaller than the 5525-X and I'd really like to not run into this haha.
I have in a question to our Cisco rep about the 5508 (which will support up to 8GB of RAM).
I found out on a forum (https://supportforums.cisco.com/discussion/12884511/cisco-asa-5512-x-memory) how to read the show ver below.
After that I did some searching online and couldn't find anything on how to free that RAM so I called TAC and got a good engineer (Gasp!!) who filled me in on the the fact that the RAM is reserved and can't be freed up.
QuoteThe ressources (memory and CPU-cores) are split between the ASA itself and the security-module. On the first line you see how many resources are totally available. On the second line you see haw many resources are reserved for the ASA. The rest is for the module.
Hardware: ASA5512, 4096 MB RAM, CPU Clarkdale 2792 MHz, 1 CPU (2 cores)
ASA: 2048 MB RAM, 1 CPU (1 core)
Interesting. I see the same thing, of course with scale, on our 5525-X.
Hardware: ASA5525, 8192 MB RAM, CPU Lynnfield 2394 MHz, 1 CPU (4 cores)
ASA: 4096 MB RAM, 1 CPU (1 core)
Wow.. that's not really evident on the spec sheet.
I never did find anything about it on Cisco's website outside of their forums
Finding creative ways to get my memory down
object-group network net-blah
description All blah Networks
network-object 10.0.55.48 255.0.255.112
... yeah, I went there
thats hilarious. So to confirm I'm reading this right: if you buy an ASA55xx-X, half the RAM is reserved for firepower, even if you're not using it?
its almost like they're not even trying anymore.....
was not aware of it, but you will see the same behavior in ASR
Quote from: GeorgeS on February 25, 2016, 04:23:28 AM
was not aware of it, but you will see the same behavior in ASR
Wait, what?
ASR doesn't have Firepower, so why reserve half the RAM? Again for modules?
it has nothing to do with the firepower in that case, but in cisco routers they use the shared and the main process memory , i cannot find it in my notes but if i remember correct in ASR u need approx 500mb of ram just for the IOS!
In every router you will see that behavior more or less but i have never seen something like the ASA with firepower ! But again in a router u do not care about the ram but the incoming/outgoing throughput of the device as you will find in many cases that even though you are not over utilizing the line you have drops and that has to do with how much throughput the device can process ( i speak for big boxes with multiple interfaces). We are moving to different topic now but still is a similar sneaky/tricky tactic from cisco.
I wonder if that RAM isn't being reserved for the modal but for the OS to run, then all the extra ASA stuff (ACLs, connections, etc) are running in the 2GB that shows up in show ver.
Just had a look at my ASA5515X and it says this under show ver:
Quote
Hardware: ASA5515, 8192 MB RAM, CPU Clarkdale 3058 MHz, 1 CPU (4 cores)
ASA: 4096 MB RAM, 1 CPU (1 core)
So looks like the chassis has 8GB ram but the ASA has 4GB.
So I did a show mem:
Quote
CIN-5515# show mem
Free memory: 3448950711 bytes (80%)
Used memory: 846016585 bytes (20%)
------------- ------------------
Total memory: 4294967296 bytes (100%)
:whistle:
I can't remember exactly but when I specc'ed out our ASA's for our 40 person company, the 5515X was the minimum for us.
I still haven't paid for these units, had them almost 2 years now.. Although it is being sorted and I've had some additional costs approved for Firepower. Hope to get that soon.
Quote from: wintermute000 on February 25, 2016, 04:07:40 AM
thats hilarious. So to confirm I'm reading this right: if you buy an ASA55xx-X, half the RAM is reserved for firepower, even if you're not using it?
its almost like they're not even trying anymore.....
I think this is more like, you buy a new Cisco hardware unit with more than 1 CPU core, but the device only uses 1 of those CPUs for it's main function. Like a 2921 ISR comes with dual core CPUs but the router only uses 1 CPU, and the other CPU is reserved for the ISM. Except in this case it's RAM.
Just spent the last 15 minutes trying to navigate to the ASA5515x page on Cisco.com to see the information, and I've not been able to find the page. I can get to the security firewall area, but can't find the specific specifications page for the ASA5515x. Given up.
I also don't recall reading that 8GB RAM for the chassis means 1/2 for the ASA itself. I have the module in ours for firepower already. I gathered that module has it's own CPU and RAM and uses the SSD for storage. I still think that is true but where does the chassis ram go to if that is true.
Quote from: Dieselboy on February 26, 2016, 12:25:51 AM
Except in this case it's RAM.
Looking closer at those outputs it's also CPU. 4 cores but the ASA only gets 1.
Quote from: Dieselboy on February 26, 2016, 12:25:51 AM
Just spent the last 15 minutes trying to navigate to the ASA5515x page on Cisco.com to see the information, and I've not been able to find the page. I can get to the security firewall area, but can't find the specific specifications page for the ASA5515x. Given up.
http://www.cnet.com/products/cisco-asa-5515-x-firewall-edition-security-appliance-series/specs/#p=cisco-asa-5515-x-firewall-edition-security-appliance/
.61 seconds to search and two minutes to view results.
To be fair, he was searching through Cisco's website.
Quote from: deanwebb on February 26, 2016, 10:23:01 AM
To be fair, he was searching through Cisco's website.
Can anyone find anything on Cisco's site?
(other than using a google hack)
I have figured out how to find OSs :-)
Haha thanks guys :)
I was trying to get the actual Cisco page where it gives you the specs. I wanted to see the Cisco page so there was no discrepancy.
Quote from: ristau5741 on February 26, 2016, 11:08:56 AM
Quote from: deanwebb on February 26, 2016, 10:23:01 AM
To be fair, he was searching through Cisco's website.
Can anyone find anything on Cisco's site?
(other than using a google hack)
I actually got pretty good at the DOC-CD, though IRL 90% of the time I just google it.
But that 10% of the time when the exact exact details are important, I still go straight to the source (i.e. DOC-CD for that exact IOS version).
Quote from: routerdork on February 26, 2016, 08:41:21 AM
Quote from: Dieselboy on February 26, 2016, 12:25:51 AM
Except in this case it's RAM.
Looking closer at those outputs it's also CPU. 4 cores but the ASA only gets 1.
I noticed that too. I don't think I've ever seen an ASA CPU above 10%. I wonder if that is stats on the single core, or all four?
This makes me want to take a much closer look at our boxes... see if ones on older code have differences from ones on newer code. None of our X models are new enough to ship with SourceFire, but my due diligence bone is starting to ache...
Sent from my SM-N900P using Tapatalk
Quote from: Netwörkheäd on February 28, 2016, 09:45:14 AM
This makes me want to take a much closer look at our boxes... see if ones on older code have differences from ones on newer code. None of our X models are new enough to ship with SourceFire, but my due diligence bone is starting to ache...
Older 5585X: all mem, CPU looks like it's for ASA, running 9.1(3) code
Newest 5525X: ASA gets 1 of 4 CPUs and half the RAM - ver 9.3(2)
Not-so-new 5525X: ASA gets 1 of 4 CPUs and half the RAM - ver 9.1(1)
follow-on edit:
ALL my 5525s and 5512s have the half RAM/1 CPU situation, regardless of code version.
:no:
Also, for when I talk to Cisco in the vendor booths in a few days:
:vendors:
Hey, guess what: it's an old issue!
https://supportforums.cisco.com/discussion/11559081/asa-5515-x-not-addressing-all-cpu-coresmemory
Four years ago, 'twas written:
this was a documentation bug... CSCtz55372
(http://supportforums.cisco.com/sites/default/files/legacy/6/8/1/96186-HW_Specs.png)
Cisco need the back of their hand slapped. Misleading customers tut tut.
That's just wrong :-(
Bad Cisco, give us correct information.
I think if more of us posted in the thread linked above, they might do something.
I already put it on my linked in page.
Talked with a Palo Alto guy today. They reserve resources for inspection and resources for firewall processing... but you also can't buy a Palo without one or the other. Whereas, I need to follow up with Cisco why they reserve resources for a module that ain't bought.
Talked with Cisco today. Yes, those resources are reserved for SourceFire. The throughput rates and other things not associated with RAM and CPU are still valid for all their gear, but those RAM and CPU resources are reserved. It's that way on all NGFW models, regardless of vendor, it seems. It's just that in a Cisco box, you have the option of whether or not you get the SourceFire module.
That being said, there really ought to be documentation of the fact that the ASA is going to hit a memory limit with or without SourceFire that is at 50% of the total RAM on the system.
Quote from: deanwebb on March 02, 2016, 07:11:13 PM
That being said, there really ought to be documentation of the fact that the ASA is going to hit a memory limit with or without SourceFire that is at 50% of the total RAM on the system.
Yes, it's misleading. If someone is speccing out firewalls they could look at the stated RAM and may not realise they would actually be getting half of that.
Quote from: Dieselboy on March 02, 2016, 10:04:50 PM
Yes, it's misleading. If someone is speccing out firewalls they could look at the stated RAM and may not realise they would actually be getting half of that.
Yep that's us, our 5512x can't take anymore RAM and it's out of free RAM, we are going to have to buy new Firewalls.