Understanding Different Memory Elements of ASA/FTD

Introduction

This document describes the comprehension of various memory components in Adaptive Security Appliance (ASA)/ Firepower Threat Defense (FTD).

Background Information

If you receive any memory-related notifications, this article will determine when to take preventive measures and when to disregard them. Simple Network Management Protocol (SNMP) polling is typically used to initiate memory-related alarms. This SNMP will use the result of the show memory detail command to gather data and trigger the alerts.

General Information

In this article, the below-mentioned memory elements are discussed 

• MEMPOOL_HEAPCACHE_X
• MEMPOOL_GLOBAL_SHARED 
• MEMPOOL_DMA and MEMPOOL_DMA_ALT1

MEMPOOL_HEAPCACHE_X

Understanding Heapcache Memory Alerts

1. Heapcache Allocation Behavior
• Heapcache is the preferred pool for memory allocations.
• Once the Heapcache pool is exhausted, further allocations are taken from the global shared pool.
• The global shared pool itself pulls memory from the system memory as needed.
2. Heapcache Memory Alerts
• Receiving Heapcache memory alerts is normal and does not indicate a problem.
• High usage of the Heapcache memory is expected because it is the first pool allocated for usage.
3. Key Point to Monitor
• Focus on system memory usage.
• If system memory is sufficient, you do not need to worry about alerts for MEMPOOL_HEAPCACHE_0 or MEMPOOL_GLOBAL_SHARED pools.
• Monitor system memory using your SNMP tools for any critical thresholds or performance degradation.
4. Alerts and Expected Behavior
• The memory reservation behavior is normal.
• The system reserves and allocates memory dynamically as needed.
• You can safely ignore alerts related to Heapcache or global shared pools unless system memory itself becomes critically high.

MEMPOOL_GLOBAL_SHARED

• Dynamic Memory Handling
  MEMPOOL_GLOBAL_SHARED does not pre-allocate all the memory at boot time. Instead, it requests memory from the operating system on demand as needed.
• Memory Release
  When a large amount of memory is freed, MEMPOOL_GLOBAL_SHARED returns memory back to the operating system.
• Elastic Growth/Shrinkage
  The size of MEMPOOL_GLOBAL_SHARED expands and contracts dynamically based on the workload. This adaptive behavior ensures efficient memory utilization.
• Minimal Cache for Speed
  A small amount of memory remains allocated within MEMPOOL_GLOBAL_SHARED to speed up future memory allocation requests and avoid latency.

Alert Context

If this alert appears, it describes the expected behavior of MEMPOOL_GLOBAL_SHARED. Since it grows, shrinks, and manages memory dynamically, the behavior is normal and does not indicate any issue. You can safely ignore this alert unless specific memory-related performance problems are observed.

MEMPOOL_DMA and MEMPOOL_DMA_ALT1

DMA Memory Pools Overview

The Direct Memory Access (DMA) memory system in Cisco ASA/FTD consists of two key memory pools:

1. MEMPOOL_DMA
2. MEMPOOL_DMA_ALT1

These two pools work together in order to ensure smooth memory availability:

• MEMPOOL_DMA is the primary pool.

• MEMPOOL_DMA_ALT1 serves as a backup when the primary pool becomes exhausted.

Usage of DMA Memory

The DMA memory pool is primarily used for tasks requiring high-speed data access and memory-intensive operations. It is commonly utilized for VPN-related features and other processes, including:

1. Virtual private network (VPN) Services:

• IPSec (IKEv1/IKEv2)

• Transport Layer Security (TLS) Proxy

• WebVPN (AnyConnect/Clientless VPN)
2. Security and Logging Services:
• Intrusion Prevention System (IPS)
• Syslogging ("logging host ...")
• Secure shell (SSH) Connections

3. Management and Other Services:

• Adaptive Security Device Manager (ASDM) (ASA HTTPS Server)

• Dynamic Host Configuration Protocol (DHCP) Server

Behavior of DMA Memory Pools

1. Boot-Time Allocation:
   At boot-up, the ASA allocates DMA memory based on the enabled features.
2. Dynamic Memory Use:

• Processes request memory from MEMPOOL_DMA when needed.

• When the processes are done, the memory is returned to the free pool (with a slight delay).

3. Fallback to MEMPOOL_DMA_ALT1:

• If MEMPOOL_DMA becomes fully utilized, the system automatically starts using MEMPOOL_DMA_ALT1.

• This ensures continuous operation without memory-related disruptions.

When to Be Concerned?

• If MEMPOOL_DMA utilization is high (close to 100%), there is no immediate issue as long as MEMPOOL_DMA_ALT1 has sufficient memory.

• If MEMPOOL_DMA_ALT1 also starts to fill up, it signals a memory exhaustion problem and requires further investigation.

• Action Required:

• Monitor MEMPOOL_DMA_ALT1 usage.

• If both pools approach full utilization, investigate feature usage, logging activity, and memory-hungry processes.

if you are observing High DMA memory-related issues check the:

HTTP server: If HTTP is configured it will allocate 4, 80, 1550, 2048, and 2560 byte blocks and results in about 7Mb of DMA being used. Try to disable the ASDM access for the time being.
URL server: If it is configured, this will add another 81Kb of DMA memory.
Internet Key Exchange (IKE) and WebVPN: Having any form of VPN enabled will pull memory out of the DMA memory pool.
If you are using a VPN then that could also utilize this memory. Check VPN utilization in order to ensure it does not exceed the box capacity.
Logging: DMA used for logging is governed by queue size and number of logging hosts.
#sh run logg
do not use logging queue 0
do not use logging queue 8192
do not configure more than one logging server
do not configure jumbo frames

SNMP Monitoring

The Management Information Bases (MIBs) shown are utilized for SNMP memory monitoring.

Understanding the Counter64 values in these MIBs and how one can use them:

Counter64 Values in MIBs

1. MIB .1.3.6.1.4.1.9.9.221.1.1.1.1.18: - This MIB represents the cempMemPoolHCUsed object, which is a high-capacity counter for the memory pool used. It provides the amount of memory used in the pool, measured in bytes.
2. MIB .1.3.6.1.4.1.9.9.221.1.1.1.1.20: - This MIB represents the cempMemPoolHCFree object, which is a high-capacity counter for the memory pool free. It provides the amount of free memory in the pool, measured in bytes.

Purpose of Specific MIBs:

1. MEMPOOL_MSGLYR_HB: - Represents the memory pool for the message layer heartbeat. This is used to monitor the memory allocated for heartbeat messages in the system.
2. MEMPOOL_MSGLYR: - Represents the memory pool for the message layer. This is used to monitor the memory allocated for general message layer operations in the system.
3. MEMPOOL_HEAPCACHE_1: - Represents the memory pool for heap cache 1. This is used to monitor the memory allocated for the first heap cache in the system.
4. MEMPOOL_HEAPCACHE_0: - Represents the memory pool for heap cache 0. This is used to monitor the memory allocated for the primary heap cache in the system.
5. MEMPOOL_DMA_ALT1: - Represents the memory pool for DMA alternate 1. This is used to monitor the memory allocated for the first alternate DMA operations in the system.
6. MEMPOOL_DMA: - Represents the memory pool for DMA. This is used to monitor the memory allocated for DMA operations in the system.
7. MEMPOOL_GLOBAL_SHARED: - Represents the memory pool for global shared memory. This is used to monitor the memory allocated for globally shared operations in the system.