BugZero | Cisco BugID CSCwi68833 - ASA/FTD: Memory leak caused by Failover not freein...

Cisco - Defect ID: CSCwi68833

ASA/FTD: Memory leak caused by Failover not freeing dnscrypt key cache due to unsyned umbrella flow

Cisco - Defect ID: CSCwi68833

ASA/FTD: Memory leak caused by Failover not freeing dnscrypt key cache due to unsyned umbrella flow

Last updated on 5/7/2025

Overall: 7.87.8

Severity: 8.28.2

Lifecycle: 9.19.1

Popularity: 4.64.6

What is the BugZero Risk Score?

Vendor details

No defect details.

Overall: 7.87.8

Severity: 8.28.2

Lifecycle: 9.19.1

Popularity: 4.64.6

What is the BugZero Risk Score?

Vendor details

No defect details.

Symptom

++ Lina running on low memory mostly used by global shared pool: Free memory: 504180750 bytes ( 4%) Used memory: 12172147104 bytes (96%) ------------- ------------------ Total memory: 12676327854 bytes (100%) ------------------ show memory detail ------------------ Heap Memory: Free Memory: Heapcache Pool: 162834992 bytes ( 1% ) Global Shared Pool: 214358560 bytes ( 2% ) Message Layer Pool: 14237824 bytes ( 0% ) Message Layer HB Pool: 198928 bytes ( 0% ) System: 169322926 bytes ( 1% ) Used Memory: Heapcache Pool: 1984648656 bytes ( 16% ) Global Shared Pool: 8238978528 bytes ( 65% ) <--- Reserved (Size of DMA Pool): 1073741824 bytes ( 8% ) Reserved for messaging: 2277248 bytes ( 0% ) Reserved for HB messaging: 63216 bytes ( 0% ) MMAP usage: 70969522 bytes ( 1% ) System Overhead: 744957774 bytes ( 6% ) ------------------------------------- ---------------- Total Memory: 12676327854 bytes ( 100% ) ++ Console: 22024-01-15 09:06:33 1/15/2024 9:6:32 [error] ccs_chmclient - Mem allocation failed, no more memory. 2024-01-15 09:06:33 1/15/2024 9:6:32 [error] ccs_clnt_mgr - Failed to send hw notification 2024-01-15 09:06:34 lina_io_open "/tmp/ssp_ntpd/.ssptime2asa.pipe": ERROR - failed IO device allocation 2024-01-15 09:06:34 lina_io_open "/tmp/ssp_tz/.ssptz2asa.pipe": ERROR - failed IO device allocation 2024-01-15 09:06:38 1/15/2024 9:6:37 [error] ccs_chmclient - Mem allocation failed, no more memory. 2024-01-15 09:06:38 1/15/2024 9:6:37 [error] ccs_clnt_mgr - Failed to send hw notification

Conditions

Reported on FP4110 with FTD 7.2.4 The issue is triggered by a failover.

Workaround

Disable dnscrypt https://www.cisco.com/c/en/us/td/docs/security/secure-firewall/management-center/device-config/720/management-center-device-config-72/access-dns.html

Further Problem Description

The problem appears to be instigated by triggering failover. Certain information from the umbrella flow is not being efficiently replicated to the standby unit. Consequently, the "dnscrypt key cache" associated with that umbrella flow is not being released as it should be. Resulting to potential Memory leak situation.

Original Vendor Announcement

9.65Defect ID: CSCwd45843
Auth Step latency for policy evaluation due to Garbage Collection activity.
9.65Defect ID: CSCwa92734
CUBE DTMF interworking fails from rtp-nte to OOB SIP methods
9.65Defect ID: CSCwj45822
Cisco ASA and FTD Software Remote Access VPN Brute Force Denial of Service Vulnerability
9.65Defect ID: CSCvo03458
PKI "revocation check crl none" does not fallback if CRL not reachable
9.65Defect ID: CSCvq05584
Cisco IOS and IOS XE Software Tcl Arbitrary Code Execution Vulnerability

Ready to prevent the next vendor outage?

Get a demo

OPERATIONAL DEFECT DATABASE

Cisco - Defect ID: CSCwi68833

ASA/FTD: Memory leak caused by Failover not freeing dnscrypt key cache due to unsyned umbrella flow

Cisco - Defect ID: CSCwi68833

ASA/FTD: Memory leak caused by Failover not freeing dnscrypt key cache due to unsyned umbrella flow

Last updated on 5/7/2025

Vendor details

Vendor details

Description

Symptom

Conditions

Workaround

Further Problem Description

Links

Top Cisco defects by risk score

Ready to prevent the next vendor outage?