Is there any 1550 blocks depletion ? Cisco ASA Firewall

secureIT · ‎10-04-2016

Hello All,

Seeing input error and overruns increasing in one outside interface of ASA firewall
Are we seeing 1550 blocks depletion here ?

My real life problem is getting too many input and overruns on the outside interface of the firewall, where as traffic load is very normal.

ASA # show blocks
SIZE    MAX    LOW    CNT
     0    700    668    695
     4    300    298    299
    80    900    872    900
   256   4148   4033   4143
1550   9801   9140   9541
2048   1100   1094   1100
2560   2052   2052   2052
4096    100     97    100
8192    100     99    100
16384    154    154    154
65536     16     16     16

Also observed below configuration in the FW.

logging monitor debugging
logging buffered debugging
logging asdm debugging

Could someone assist pls.

JP Miranda Z · ‎10-04-2016

Hi Sec IT,

The blocks are looking good, also the logging config, these are some of the reasons why you can have overruns:

-CPU hogs

-Packet Processed Periodically

-Packet Bursts

You can take a look to this link in order to mitigate overruns:

http://www.cisco.com/c/en/us/support/docs/security/asa-5500-x-series-next-generation-firewalls/113185-asaperformance.html#anc4

Hope this info helps!!

Rate if helps you!!

-JP-

secureIT · ‎10-04-2016

flow control to be enabled ?