Cisco 1760 Router - %%Low on memory; try again later ???

Hi experts,

We have a cisco 1760 router that has been in use for over a year now.  Everything has been working fine with it until last week when I started seeing the error:

%SYS-2-CHUNKEXPANDFAIL: Could not expand chunk pool for ipnat node. No memory available
-Process= "Chunk Manager", ipl= 5, pid= 1
-Traceback= 80225978 80209C78 8020E290

When I try to make changes using the console, I get: %% Low on memory; try again later

I have no idea why this is happening, so perhaps you all can help me.

Below is the current running config.  If you see anything that I should change, let me know.  Also, how can I edit the configuration since it will not let me in right now?

!This is the running config of the router: 192.168.10.1
!----------------------------------------------------------------------------
!version 12.3
no service pad
service tcp-keepalives-in
service tcp-keepalives-out
service timestamps debug datetime msec localtime show-timezone
service timestamps log datetime msec localtime show-timezone
service password-encryption
service sequence-numbers
!
hostname 1760
!
boot-start-marker
boot-end-marker
!
security authentication failure rate 3 log
security passwords min-length 6
logging count
logging buffered 52000 debugging
logging console critical
enable secret 5 xxxxxxxxxxxxxxxxxxxxxxxxxxxxxx.
!
username Supervisor privilege 15 password xxxxxxxxxxxxxxxxxxxxxxxxxxxx
username murbano privilege 15 secret 5 xxxxxxxxxxxxxxxxxxxxxxxxxx/
clock timezone PCTime -5
clock summer-time PCTime date Apr 6 2003 2:00 Oct 26 2003 2:00
aaa new-model
!
!
aaa authentication login default local
aaa authentication login sdm_vpn_xauth_ml_1 local
aaa authentication login sdm_vpn_xauth_ml_2 local
aaa authentication login sdm_vpn_xauth_ml_3 local
aaa authorization exec default local
aaa authorization network sdm_vpn_group_ml_1 local
aaa authorization network sdm_vpn_group_ml_2 local
aaa authorization network sdm_vpn_group_ml_3 local
aaa session-id common
ip subnet-zero
no ip source-route
!
!
ip tcp synwait-time 10
ip domain name domain.com
ip name-server XXX.175.203.50
ip name-server XXX.175.203.59
ip dhcp excluded-address 192.168.10.1
ip dhcp excluded-address 192.168.10.51 192.168.10.254
!
ip dhcp pool sdm-pool1
   network 192.168.10.0 255.255.255.0
   domain-name domain.com
   dns-server XX.XX.198.3 XX.XX.198.4
   default-router 192.168.10.1
!
!
no ip bootp server
ip cef
ip inspect name DEFAULT100 cuseeme
ip inspect name DEFAULT100 ftp
ip inspect name DEFAULT100 h323
ip inspect name DEFAULT100 netshow
ip inspect name DEFAULT100 rcmd
ip inspect name DEFAULT100 realaudio
ip inspect name DEFAULT100 rtsp
ip inspect name DEFAULT100 smtp
ip inspect name DEFAULT100 sqlnet
ip inspect name DEFAULT100 streamworks
ip inspect name DEFAULT100 tftp
ip inspect name DEFAULT100 tcp
ip inspect name DEFAULT100 udp
ip inspect name DEFAULT100 vdolive
ip inspect name DEFAULT100 icmp
ip inspect name dmzinspect tcp
ip inspect name dmzinspect udp
ip audit notify log
ip audit po max-events 100
ip ssh break-string string
no ftp-server write-enable
!
!
crypto ca trustpoint DomainCA
 enrollment terminal
 serial-number none
 fqdn 1760.domain.com
 ip-address none
 password 7 08
 subject-name O=Company, CN=1760, C=US, ST=City
 revocation-check crl
 rsakeypair SDM-RSAKey-XXX4099404000
!
crypto ca trustpoint DomianServer
 enrollment url http://192.168.10.254:80
 serial-number none
 fqdn 1760.domain.com
 ip-address none
 password 7 07
 revocation-check crl
 rsakeypair SDM-RSAKey-XXX4099404000
 auto-enroll
!
!
crypto ca certificate chain DomainCA
 certificate ca XXXXXXXXXXXXXXXXXXXXXX
  XXXXXXX XXXXXXX A0030201 02020A47 5122B800 00000000 05300D06 092A8648
  ...............
  quit
crypto ca certificate chain DomainServer
!
no crypto isakmp enable
!
crypto isakmp policy 1
 encr 3des
 authentication pre-share
 group 2
!
crypto isakmp policy 3
 encr 3des
 group 2
!
crypto isakmp client configuration group admin
 dns xx.xx.198.3 xx.xx.198.4
 domain domain.com
 pool SDM_POOL_1
 max-users 1
!
!
crypto ipsec transform-set ESP-3DES-SHA esp-3des esp-sha-hmac
crypto ipsec transform-set ESP-3DES-SHA1 esp-3des esp-sha-hmac
!
!
!
interface Null0
 no ip unreachables
!
interface FastEthernet0/0
 description $ETH-LAN$$FW_INSIDE$
 ip address 192.168.10.1 255.255.255.0
 ip access-group 100 in
 no ip redirects
 no ip unreachables
 no ip proxy-arp
 ip nat inside
 ip inspect DEFAULT100 in
 ip route-cache flow
 speed auto
 no cdp enable
!
interface Serial0/0
 description $FW_OUTSIDE$
 ip address xx.xx.196.226 255.255.255.252
 ip access-group 102 in
 ip verify unicast reverse-path
 no ip redirects
 no ip unreachables
 no ip proxy-arp
 ip nat outside
 ip route-cache flow
 no keepalive
 no cdp enable
!
interface Ethernet1/0
 description $ETH-LAN$$FW_INSIDE$
 ip address xx.xx.198.1 255.255.255.224
 ip access-group sdm_ethernet1/0_in in
 no ip redirects
 no ip unreachables
 no ip proxy-arp
 ip route-cache flow
 half-duplex
 no cdp enable
!
ip local pool SDM_POOL_1 xx.xx.198.12 xx.xx.198.15
ip nat pool Phoenix 192.168.10.2 192.168.10.50 netmask 255.255.255.0
ip nat inside source route-map SDM_RMAP_1 interface Ethernet1/0 overload
ip nat inside source static tcp 192.168.10.99 10418 xx.xx.198.1 10418 extendable
ip classless
ip route 0.0.0.0 0.0.0.0 Serial0/0
ip http server
ip http authentication local
no ip http secure-server
!
!
!
ip access-list extended sdm_ethernet1/0_in
 remark SDM_ACL Category=1
 remark Outgoing Traffic From DMZ
 permit ip any any log
logging trap debugging
logging xx.xx.198.4
access-list 7 remark NAT
access-list 7 remark SDM_ACL Category=2
access-list 7 permit 192.168.10.0 0.0.0.255
access-list 100 remark auto generated by SDM firewall configuration
access-list 100 remark SDM_ACL Category=1
access-list 100 permit tcp host 192.168.10.254 eq www host 192.168.10.1 gt 1024
access-list 100 deny   ip xx.xx.196.224 0.0.0.3 any log
access-list 100 deny   ip host 255.255.255.255 any log
access-list 100 deny   ip 127.0.0.0 0.255.255.255 any log
access-list 100 permit ip any any log
access-list 101 remark SDM_ACL Category=2
access-list 101 deny   ip any xx.xx.198.12 0.0.0.3
access-list 101 permit ip 192.168.10.0 0.0.0.255 any
access-list 102 remark auto generated by SDM firewall configuration
access-list 102 remark SDM_ACL Category=1
access-list 102 remark User Scan
access-list 102 deny   ip host 199.10.150.100 any
access-list 102 deny   ip xx.xx.198.12 0.0.0.3 any
access-list 102 deny   ip xx.135.0.0 0.0.255.255 any
access-list 102 deny   ip 192.168.10.0 0.0.0.255 any
access-list 102 deny   ip xx.xx.198.0 0.0.0.31 any
access-list 102 remark Win32:Mytob-DA [Wrm]
access-list 102 deny   ip host xx.xx.0.108 any
access-list 102 remark RDP
access-list 102 permit tcp host xx.xx.xx.224 eq 3389 any
access-list 102 permit udp any host xx.xx.196.226 eq non500-isakmp log
access-list 102 permit udp any host xx.xx.196.226 eq isakmp log
access-list 102 permit esp any host xx.xx.196.226 log
access-list 102 permit ahp any host xx.xx.196.226 log
access-list 102 permit udp host xx.xx.203.59 eq domain any
access-list 102 permit udp host xx.xx.203.50 eq domain any
access-list 102 remark Ping
access-list 102 permit icmp any any echo-reply
access-list 102 permit udp any eq 2055 any eq 2055 log
access-list 102 permit udp any eq 2056 any eq 2056 log
access-list 102 remark ICS
access-list 102 permit tcp any host xx.xx.198.5 eq 10418 log
access-list 102 remark Camera
access-list 102 permit ip any host xx.xx.198.11 log
access-list 102 remark SQL Server Connection
access-list 102 permit tcp any host xx.xx.198.6 eq 1433 log
access-list 102 remark DNS
access-list 102 permit udp any host xx.xx.198.3 eq domain
access-list 102 remark May not be needed
access-list 102 permit tcp any host xx.xx.198.3 eq domain log
access-list 102 permit udp any host xx.xx.198.4 eq domain
access-list 102 permit tcp any host xx.xx.198.4 eq domain
access-list 102 remark HTTPS (Webmail)
access-list 102 permit tcp any host xx.xx.198.3 eq 443 log
access-list 102 permit tcp any host xx.xx.198.3 eq 32001 log
access-list 102 remark Challenge Response
access-list 102 permit tcp any host xx.xx.198.3 eq 32000
access-list 102 permit tcp any host xx.xx.198.4 eq 443
access-list 102 permit tcp any host xx.xx.198.4 eq 32001
access-list 102 permit tcp any host xx.xx.198.4 eq 32000
access-list 102 permit tcp host xx.xx.203.59 eq domain host xx.xx.198.3
access-list 102 permit udp host xx.xx.203.59 eq domain host xx.xx.198.3
access-list 102 permit tcp host xx.xx.203.59 eq domain host xx.xx.198.4
access-list 102 permit udp host xx.xx.203.59 eq domain host xx.xx.198.4
access-list 102 permit tcp host xx.xx.203.50 eq domain host xx.xx.198.3
access-list 102 permit udp host xx.xx.203.50 eq domain host xx.xx.198.3
access-list 102 permit tcp host xx.xx.203.50 eq domain host xx.xx.198.4
access-list 102 permit udp host xx.xx.203.50 eq domain host xx.xx.198.4
access-list 102 permit tcp any eq smtp any log
access-list 102 permit tcp any eq www any log
access-list 102 remark HTTPs (From Outside)
access-list 102 permit tcp any eq 443 any log
access-list 102 permit icmp any host xx.xx.196.226 echo-reply
access-list 102 permit icmp any host xx.xx.196.226 time-exceeded
access-list 102 permit icmp any host xx.xx.196.226 unreachable
access-list 102 permit tcp any eq 5004 any
access-list 102 permit tcp any eq 5190 any
access-list 102 permit tcp any host xx.xx.198.3 eq smtp log
access-list 102 permit tcp any host xx.xx.198.4 eq smtp log
access-list 102 permit tcp any host xx.xx.198.3 eq pop3 log
access-list 102 permit tcp any host xx.xx.198.4 eq pop3 log
access-list 102 permit tcp host xx.xx.248.142 host xx.xx.198.5 eq ftp-data
access-list 102 permit tcp host xx.xx.248.142 host xx.xx.198.5 eq ftp
access-list 102 permit tcp host xx.xx.103.130 host xx.xx.198.5 eq ftp-data
access-list 102 permit tcp host xx.xx.103.130 host xx.xx.198.5 eq ftp
access-list 102 permit tcp host xx.xx.248.142 host xx.xx.198.6 eq ftp-data
access-list 102 permit tcp host xx.xx.248.142 host xx.xx.198.6 eq ftp
access-list 102 permit tcp host xx.xx.103.130 host xx.xx.198.6 eq ftp-data
access-list 102 permit tcp host xx.xx.103.130 host xx.xx.198.6 eq ftp
access-list 102 permit tcp host xx.xx.171.178 host xx.xx.198.6 eq ftp
access-list 102 permit tcp host xx.xx.171.178 host xx.xx.198.6 eq ftp-data
access-list 102 permit tcp any host xx.xx.198.5 eq ftp
access-list 102 permit tcp any host xx.xx.198.5 eq ftp-data
access-list 102 permit tcp any host xx.xx.198.5 eq www
access-list 102 deny   tcp any host xx.xx.198.6 range 2000 2010
access-list 102 remark HTTP
access-list 102 permit tcp any host xx.xx.198.7 eq www log
access-list 102 remark HTTPs (Web Server)
access-list 102 permit tcp any host xx.xx.198.7 eq 443 log
access-list 102 remark AIM
access-list 102 permit udp any eq 1863 any log
access-list 102 permit tcp any eq 1863 any log
access-list 102 remark AOL
access-list 102 permit tcp any range 5001 5004 any log
access-list 102 deny   ip 10.0.0.0 0.255.255.255 any
access-list 102 deny   ip xx.16.0.0 0.15.255.255 any
access-list 102 deny   ip 192.168.0.0 0.0.255.255 any
access-list 102 deny   ip 127.0.0.0 0.255.255.255 any
access-list 102 deny   ip host 255.255.255.255 any
access-list 102 deny   ip host 0.0.0.0 any
access-list 102 deny   ip any any log
no cdp run
!
route-map SDM_RMAP_1 permit 1
 match ip address 101
!
!
control-plane
!
banner login ^CCHello^C
!
line con 0
 transport output telnet
line aux 0
 transport output telnet
line vty 0 4
 transport input telnet ssh
line vty 5 15
 transport input telnet ssh
!
scheduler allocate 4000 1000
scheduler interval 500
ntp server xx.xx.198.3 source Ethernet1/0 prefer
!
end


pwi11Asked:
Who is Participating?
I wear a lot of hats...

"The solutions and answers provided on Experts Exchange have been extremely helpful to me over the last few years. I wear a lot of hats - Developer, Database Administrator, Help Desk, etc., so I know a lot of things but not a lot about one thing. Experts Exchange gives me answers from people who do know a lot about one thing, in a easy to use platform." -Todd S.

JFrederick29Commented:
Sounds like you'll need to shut the router off and turn it back on to reclaim the used up memory.  Watch on boot up if you get failed memory or parity errors as the router memory might be bad.  After the reboot, you should be able to get back into the router.
pwi11Author Commented:
I have also received the following error which showed up before the CHUNKEXPANDFAIL error:

-Process= "IP NAT Ager", ipl= 5, pid= 111

06-30-2005      08:41:15      Local7.Critical      1.domain.com      

1882386: -Traceback= 8020DBF0 801F6C14 80A30AF8 80A446B4 80A2A2F0 80A2A350 802078D4 80A2A608 80209C78 8020E290

06-30-2005      08:41:15      Local7.Critical      1.domain.com      

1882387: 1837593: .Jun 30 08:41:31.886 PCTime: %SYS-2-INTSCHED: 'may_suspend' at level 5
JFrederick29Commented:
Reboot the router and see if it happens again.  Looks like the router crashed.
Your Guide to Achieving IT Business Success

The IT Service Excellence Tool Kit has best practices to keep your clients happy and business booming. Inside, you’ll find everything you need to increase client satisfaction and retention, become more competitive, and increase your overall success.

pwi11Author Commented:
I first saw this memory error on Friday afternoon.  Before I left for the weekend, I restarted the router, thinking that a restart would solve the problem.  Obviously it did not, since I am having the same issue this week.
JFrederick29Commented:
You could try upgrading your IOS to rule out a software bug with your current release.  Do you have a service contract with Cisco for this router?  You may need to contact them as it might be a hardware problem with the router.
pwi11Author Commented:
I think the low memort problem has to do will my ip nat translation table.  When I enter the command "show ip nat translation verbose" i get back hundreds and hundreds of entries.

Will "clear ip nat translation" clean this up without causing any problems for me?
JFrederick29Commented:
Depends on how many people are using the router.  Hundreds of entries may be normal.  If you clear nat translations, it will break connections.  Only use that command if people are not currently using the router.  You could have thousands of NAT translations and it wouldn't eat up much memory.

Experts Exchange Solution brought to you by

Your issues matter to us.

Facing a tech roadblock? Get the help and guidance you need from experienced professionals who care. Ask your question anytime, anywhere, with no hassle.

Start your 7-day free trial
It's more than this solution.Get answers and train to solve all your tech problems - anytime, anywhere.Try it for free Edge Out The Competitionfor your dream job with proven skills and certifications.Get started today Stand Outas the employee with proven skills.Start learning today for free Move Your Career Forwardwith certification training in the latest technologies.Start your trial today
Routers

From novice to tech pro — start learning today.