Buy or Renew
Buy or Renew
Duo Security forums now LIVE! Get answers to all your Duo Security questions. Learn more
cancel
Turn on suggestions
Auto-suggest helps you quickly narrow down your search results by suggesting possible matches as you type.
Showing results for 
Search instead for 
Did you mean: 
cancel
Start a conversation
439
Views
0
Helpful
2
Replies

Tshoot ASA interface outage

jyoung
Level 1
Level 1

‎03-27-2014 07:28 AM - edited ‎03-12-2019 06:06 PM

I have an interesting problem that I am looking for some advice on.  I recently replaced an ASA5510 with an ASA5525 on site.  The LAN interface on the ASA plugs into a linux transparent proxy server.  Over the last few weeks since the ASA replacement, There have been 4 or 5 occasions where the internet drops on site for a few seconds (all connections lost).  The ASA does NOT log an interface outage that I have seen, but the proxy server does:

09:00:52 Kernel [949334.379969] igb: ethD NIC Link is Down
09:00:52 Kernel [949334.380911] brCD: port 2(ethD) entering forwarding state
09:00:54 Kernel [949336.450178] igb: ethD NIC Link is Up 10 Mbps Full Duplex, Flow Control: RX/TX
09:00:54 Kernel [949336.450561] brCD: port 2(ethD) entering forwarding state
09:00:54 Kernel [949336.450573] brCD: port 2(ethD) entering forwarding state
09:00:55 Kernel [949336.989408] igb: ethD NIC Link is Down
09:00:55 Kernel [949337.449254] brCD: port 2(ethD) entering forwarding state
09:00:58 Kernel [949340.482199] igb: ethD NIC Link is Up 1000 Mbps Full Duplex, Flow Control: RX/TX
09:00:58 Kernel [949340.482442] brCD: port 2(ethD) entering forwarding state
09:00:58 Kernel [949340.482446] brCD: port 2(ethD) entering forwarding state
09:01:11 Kernel [949355.471201] brCD: port 2(ethD) entering forwarding state
09:02:25 Kernel [949429.127280] igb: ethD NIC Link is Down
09:02:25 Kernel [949429.127656] brCD: port 2(ethD) entering forwarding state
09:02:29 Kernel [949432.999715] igb: ethD NIC Link is Up 1000 Mbps Full Duplex, Flow Control: None
09:02:29 Kernel [949432.999981] brCD: port 2(ethD) entering forwarding state
09:02:29 Kernel [949432.999986] brCD: port 2(ethD) entering forwarding state

09:02:44 Kernel [949447.988709] brCD: port 2(ethD) entering forwarding state

 

The auto negotiation of the 1Gbsp interface has some back and forth, but I cannot figure out what is causing the actual interface outage.  There are no errors on the interface:

 sho inter gi 0/1
Interface GigabitEthernet0/1 "inside", is up, line protocol is up
  Hardware is i82574L rev00, BW 1000 Mbps, DLY 10 usec
        Auto-Duplex(Full-duplex), Auto-Speed(1000 Mbps)
        Input flow control is unsupported, output flow control is off
        Description: LAN
        MAC address c067.af03.48e2, MTU 1500
        IP address 172.16.250.254, subnet mask 255.255.255.0
        109642910 packets input, 31551676414 bytes, 0 no buffer
        Received 246511 broadcasts, 0 runts, 0 giants
        0 input errors, 0 CRC, 0 frame, 0 overrun, 0 ignored, 0 abort
        0 pause input, 0 resume input
        0 L2 decode drops
        131432926 packets output, 130128440721 bytes, 0 underruns
        0 pause output, 0 resume output
        0 output errors, 0 collisions, 1 interface resets
        0 late collisions, 0 deferred
        0 input reset drops, 0 output reset drops
        input queue (blocks free curr/low): hardware (463/403)
        output queue (blocks free curr/low): hardware (511/418)
  Traffic Statistics for "inside":
        109655135 packets input, 29408056098 bytes
        131449885 packets output, 127725447407 bytes
        3980901 packets dropped
      1 minute input rate 2175 pkts/sec,  306841 bytes/sec
      1 minute output rate 2993 pkts/sec,  3453094 bytes/sec
      1 minute drop rate, 68 pkts/sec
      5 minute input rate 1983 pkts/sec,  265033 bytes/sec
      5 minute output rate 2628 pkts/sec,  2860496 bytes/sec
      5 minute drop rate, 48 pkts/sec

 

 

I seem to be chasing my tail quite a bit on it.  Any advice would be greatly appreciated.

Labels:
0 Helpful
2 Replies 2

Rudy Sanjoko
Level 4
Level 4

‎03-27-2014 09:26 AM

If you are saying that the auto negotiation has some back and forth, perhaps it is better to set up the negotiation manually. Try setting the speed and duplex manually on both interfaces. Hopefully this can solve your issue.

HTH,

0 Helpful

jyoung
Level 1
Level 1
In response to Rudy Sanjoko

‎03-27-2014 10:23 AM

The autonegotiation going back and forth before settling on 1000/full sucks, but I cannot manually set the speed/duplex on the linux proxy server - its a limitation of the software.  The proxy software vendor of course blames the ASA.

The difficult part is trying to figure out why the port is bouning at all, as nothing is being done to cause the short outages that occur relativly frequently.  Patch cables have been replaced.  Is there a creative debug or log anyone can thing of?  Has anyone experienced similar issues?

0 Helpful
Getting Started

Find answers to your questions by entering keywords or phrases in the Search bar above. New here? Use these resources to familiarize yourself with the community:

Customers Also Viewed These Support Documents
Review Cisco Networking products for a $25 gift card