Packet dropped in ASA interfaces

bensonlei — Fri, 21 Feb 2020 15:54:55 GMT

We have ASA 5545-X firewall pair in LAN network, and found lots of packet dropped in each interface ( the following counters are reset every morning for investigation), as below:

Interface GigabitEthernet1/0 "users", is up, line protocol is up
Hardware is i82576F rev01, BW 1000 Mbps, DLY 1000 usec
(Full-duplex), 1000 Mbps(1000 Mbps)
Input flow control is unsupported, output flow control is off

628415157 packets input, 718417012211 bytes, 0 no buffer
Received 73 broadcasts, 0 runts, 0 giants
.....................
327194378 packets output, 280633649724 bytes, 0 underruns
.....................
Traffic Statistics for "users":
628415153 packets input, 706634816920 bytes
327194378 packets output, 274259325238 bytes
300365 packets dropped
      1 minute input rate 7182 pkts/sec, 983642 bytes/sec
      1 minute output rate 21990 pkts/sec, 28999034 bytes/sec
      1 minute drop rate, 14 pkts/sec
      5 minute input rate 3620 pkts/sec, 731810 bytes/sec
      5 minute output rate 6948 pkts/sec, 7747108 bytes/sec
      5 minute drop rate, 15 pkts/sec

Interface GigabitEthernet1/1 "vlan1", is up, line protocol is up
Hardware is i82576F rev01, BW 1000 Mbps, DLY 1000 usec
(Full-duplex), 1000 Mbps(1000 Mbps)
Input flow control is unsupported, output flow control is off
...................
3709153427 packets input, 4231993670446 bytes, 0 no buffer
Received 2946230 broadcasts, 0 runts, 0 giants
.............................
3743225801 packets output, 4211235321046 bytes, 0 underruns
............................
Traffic Statistics for "vlan1":
118274767 packets input, 153379837882 bytes
32079207 packets output, 5847325514 bytes
33386 packets dropped
      1 minute input rate 1922 pkts/sec, 2475670 bytes/sec
      1 minute output rate 921 pkts/sec, 92641 bytes/sec
      1 minute drop rate, 1 pkts/sec
      5 minute input rate 895 pkts/sec, 1004171 bytes/sec
      5 minute output rate 520 pkts/sec, 101586 bytes/sec
      5 minute drop rate, 1 pkts/sec

Interface GigabitEthernet1/1.169 "vlan169", is up, line protocol is up
Hardware is i82576F rev01, BW 1000 Mbps, DLY 1000 usec
VLAN identifier 169
Traffic Statistics for "vlan169":
1396663 packets input, 232877131 bytes
1347307 packets output, 1377419222 bytes
132616 packets dropped

Interface GigabitEthernet1/1.261 "vlan261", is up, line protocol is up
Hardware is i82576F rev01, BW 1000 Mbps, DLY 1000 usec
VLAN identifier 261
Traffic Statistics for "vlan261":
3578891 packets input, 1241639927 bytes
4083447 packets output, 1785864313 bytes
127308 packets dropped

Interface GigabitEthernet1/2 "", is up, line protocol is up
Hardware is i82576F rev01, BW 1000 Mbps, DLY 1000 usec
(Full-duplex), 1000 Mbps(1000 Mbps)
Input flow control is unsupported, output flow control is off

66111356 packets input, 4808097485 bytes, 0 no buffer
Received 671084 broadcasts, 0 runts, 0 giants
...................
324571395 packets output, 462270967911 bytes, 0 underruns
...............

Interface GigabitEthernet1/2.15 "vlan15", is up, line protocol is up
Hardware is i82576F rev01, BW 1000 Mbps, DLY 1000 usec
VLAN identifier 15
.......................
Traffic Statistics for "vlan15":
69304291 packets input, 5616912963 bytes
327177069 packets output, 456823365866 bytes
495391 packets dropped

.................................................................................................................................

Any suggestion/advice for improvement of the interfaces traffic :

1. Turn on flowcontrol in each interface ?

2. Split (VLANS) into more physical interfaces, in order to share LAN traffic

3. enlarge the interface input buffer/output buffer ?

Thanks a lot

Re: Packet dropped in ASA interfaces

Florin Barhala — Tue, 26 Jun 2018 09:08:50 GMT

So far I have only one suggestion: on the switch port used for trunking towards ASA, make sure you allow to the ASA ONLY the VLANs used by the firewall. This should reduce the noise.

Still there's Gi1/0 on your scenario that seems to use an access ports, right?
Can you share switch port config used to connect Gi1/0? Also can you share swich port statistics used by Gi1/0?

Re: Packet dropped in ASA interfaces

bensonlei — Tue, 26 Jun 2018 15:38:38 GMT

Thx for the help.

A Juniper switch connects to the ASA:

1. ASA G1/0 is access port.

2. ASA G1/1 is trunk port in Juniper switch, some VLANs are configured in ASA G1/1, like above:

G1/1.160, G1/1.261, more than 10 vlans in Gi1/1 interface.

3. ASA G1/2 is also trunk port in Juniper switch, but there are two vlans in Gi1/2 interface.

topic Re: Packet dropped in ASA interfaces in Network Security

Packet dropped in ASA interfaces

Re: Packet dropped in ASA interfaces

Re: Packet dropped in ASA interfaces