%% Low on memory; try again later

[vanescar]

Salve

ho un grosso problema, il cisco sembra scarso di memoria, mi esce questa comunicazione

*Apr 3 04:04:48.242: %SYS-2-CHUNKEXPANDFAIL: Could not expand chunk pool for ip
nat node. No memory available -Process= "Chunk Manager", ipl= 4, pid= 1 -Traceba
ck= 0x80090594 0x8026FA48 0x8023E98C 0x80241D48
%% Low on memory; try again later

*Apr 3 04:05:01.734: %SYS-2-MALLOCFAIL: Memory allocation of 65536 bytes failed
from 0x80270BE0, alignment 8
Pool: Processor Free: 64496 Cause: Not enough free memory
Alternate Pool: None Free: 0 Cause: No Alternate pool
-Process= "Chunk Manager", ipl= 4, pid= 1 -Traceback= 0x80090594 0x8024DF44 0x8
02536CC 0x80270BE4 0x8026FC88 0x8026FA00 0x8023E98C 0x80241D48
*Apr 3 04:05:01.734: %SYS-2-CHUNKEXPANDFAIL: Could not expand chunk pool for ip
port range . No memory available -Process= "Chunk Manager", ipl= 4, pid= 1 -Tra
ceback= 0x80090594 0x8026FA48 0x8023E98C 0x80241D48
*Apr 3 04:05:13.050: %SYS-2-CHUNKEXPANDFAIL: Could not expand chunk pool for ip
nat node. No memory available -Process= "Chunk Manager", ipl= 4, pid= 1 -Traceba
ck= 0x80090594 0x8026FA48 0x8023E98C 0x80241D48
%% Low on memory; try again later

%% Low on memory; try again later

%% Low on memory; try again later

nn riesco ad accedere....ho notato che capita, pero' nn ne sono sicuro, quando mi vengono effetuati dei scan port.
come posso chiudere questo genere di scan ?

[vanescar]

Grazie per la rispotta.....

sh ver

Cisco IOS Software, SOHO97 Software (SOHO97-K9OY1-M), Version 12.4(7), RELEASE S
OFTWARE (fc6)
Technical Support: http://www.cisco.com/techsupport
Copyright (c) 1986-2006 by Cisco Systems, Inc.
Compiled Wed 01-Mar-06 11:17 by alnguyen

ROM: System Bootstrap, Version 12.2(8r)YN, RELEASE SOFTWARE (fc1)

Router uptime is 0 minutes
System returned to ROM by reload
System image file is "flash:soho97-k9oy1-mz.124-7.bin"


This product contains cryptographic features and is subject to United
States and local country laws governing import, export, transfer and
use. Delivery of Cisco cryptographic products does not imply
third-party authority to import, export, distribute or use encryption.
Importers, exporters, distributors and users are responsible for
compliance with U.S. and local country laws. By using this product you
agree to comply with applicable laws and regulations. If you are unable
to comply with U.S. and local laws, return this product immediately.

A summary of U.S. laws governing Cisco cryptographic products may be found at:
http://www.cisco.com/wwl/export/crypto/tool/stqrg.html

If you require further assistance please contact us by sending email to
[email protected].

Cisco SOHO97 (MPC857DSL) processor (revision 0x400) with 31130K/1638K bytes of m
emory.
Processor board ID AMB08300H24 (896444032), with hardware revision 0000
CPU rev number 7
1 Ethernet interface
1 ATM interface
128K bytes of NVRAM.
8192K bytes of processor board System flash (Read/Write)
2048K bytes of processor board Web flash (Read/Write)

Configuration register is 0x2102

sh run

Building configuration...

Current configuration : 2200 bytes
!
version 12.4
no service pad
service timestamps debug datetime msec
service timestamps log datetime msec
no service password-encryption
!
hostname Router
!
boot-start-marker
boot-end-marker
!
memory-size iomem 5
enable secret XXXXXXXXXXXXXXXXXXXXXX
!
no aaa new-model
!
resource policy
!
!
!
ip cef
ip inspect max-incomplete high 400
!
!
!
!
!
!
!
!
interface Ethernet0
ip address 192.168.1.1 255.255.255.0
ip nat inside
hold-queue 100 out
!
interface ATM0
no ip address
ip access-group 100 in
ip access-group 1 out
no atm ilmi-keepalive
dsl operating-mode auto
pvc 8/35
encapsulation aal5mux ppp dialer
dialer pool-member 1
!
!
interface Dialer0
ip address negotiated
ip nat outside
encapsulation ppp
dialer pool 1
ppp chap hostname XXXXXXX
ppp chap password 0 XXXXX
ppp pap sent-username XXXXXXX password 0 XXXXX
!
ip route 0.0.0.0 0.0.0.0 Dialer0
no ip http server
no ip http secure-server
!
ip nat translation timeout 420
ip nat translation tcp-timeout 120
ip nat translation pptp-timeout 420
ip nat translation udp-timeout 120
ip nat translation finrst-timeout 300
ip nat translation syn-timeout 120
ip nat translation dns-timeout 300
ip nat translation icmp-timeout 120
ip nat translation max-entries 5000
ip nat inside source list 1 interface Dialer0 overload
ip nat inside source static tcp 192.168.1.2 5500 interface Dialer0 5500
ip nat inside source static udp 192.168.1.4 8002 interface Dialer0 8002
ip nat inside source static tcp 192.168.1.4 8000 interface Dialer0 8000
ip nat inside source static tcp 192.168.1.4 21 interface Dialer0 21
ip nat inside source static tcp 192.168.1.4 80 interface Dialer0 80
ip nat inside source static tcp 192.168.1.4 8001 interface Dialer0 8001
!
access-list 1 permit any
access-list 100 permit tcp any any eq 8001
access-list 100 permit tcp any any eq ftp
access-list 100 permit tcp any any eq www
access-list 100 deny tcp any any
access-list 100 permit tcp any any eq 8000
access-list 100 permit udp any any eq 8002
access-list 100 permit tcp any any eq 5500
!
control-plane
!
!
line con 0
no modem enable
line aux 0
line vty 0 4
password XXXXXX
login
!
scheduler max-task-time 5000

[vanescar]

salve.... ce un comando che svuoti (per dire) la memoria in cache ?

[TheIrish]

Non so se questo risolverà il tuo problema, però io continuo a domandarmi chi vi ha insegnato ad usare:

ip nat translation max-entries 5000

Nel 99% dei casi, questo comando crea più problemi che benefici.

[Wizard]

Se puoi intanto aggiorna la IOS

[vanescar]

Router#sh version
Cisco IOS Software, SOHO97 Software (SOHO97-K9OY1-M), Version 12.4(7), RELEASE SOFTWARE (fc6)
Technical Support: http://www.cisco.com/techsupport
Copyright (c) 1986-2006 by Cisco Systems, Inc.
Compiled Wed 01-Mar-06 11:17 by alnguyen

ROM: System Bootstrap, Version 12.2(8r)YN, RELEASE SOFTWARE (fc1)

Router uptime is 1 day, 16 hours, 46 minutes
System returned to ROM by power-on
System image file is "flash:soho97-k9oy1-mz.124-7.bin"


This product contains cryptographic features and is subject to United
States and local country laws governing import, export, transfer and
use. Delivery of Cisco cryptographic products does not imply
third-party authority to import, export, distribute or use encryption.
Importers, exporters, distributors and users are responsible for
compliance with U.S. and local country laws. By using this product you
agree to comply with applicable laws and regulations. If you are unable
to comply with U.S. and local laws, return this product immediately.

A summary of U.S. laws governing Cisco cryptographic products may be found at:
http://www.cisco.com/wwl/export/crypto/tool/stqrg.html

If you require further assistance please contact us by sending email to
[email protected].

Cisco SOHO97 (MPC857DSL) processor (revision 0x400) with 31130K/1638K bytes of memory.
Processor board ID AMB08300H24 (896444032), with hardware revision 0000
CPU rev number 7
1 Ethernet interface
1 ATM interface
128K bytes of NVRAM.
8192K bytes of processor board System flash (Read/Write)
2048K bytes of processor board Web flash (Read/Write)

Configuration register is 0x2102


@TheIrish, l'ho copiato su qualche configurazione...forse ho trascritto male...era per limitare emule e le sue connessioni...diceva che lo rendeva + stabile a livello router & emule

no so cosa serva.... ho imostato:

ip nat translation max-entries 500

[[Dj][DMX]]

No, devi dare no ip nat translation max-entries

[Shye]

Ma che problemi crea il comando in questione?

[Wizard]

Tornando al problema dei port scanning io ti consiglio vivamente di configurare l'ip inspect in uscita e creare quindi delle acl in entrata!
Per le max entry se tu ad esempio metti 100 e arrivi a 100 righe nella tabella di nat accade che la 101esima riga non si crea e quindi non esce.