Buy or Renew
Buy or Renew
Cisco + Splunk: It’s a new day for your data. Learn more.
 
cancel
Turn on suggestions
Auto-suggest helps you quickly narrow down your search results by suggesting possible matches as you type.
Showing results for 
Search instead for 
Did you mean: 
cancel
Start a conversation
287
Views
3
Helpful
9
Replies

Inconsistent connectivity going to/thru the Cisco ASA FW

DSterling
Level 1
Level 1

‎06-13-2024 07:59 AM

Having a issue with inconsistent connectivity going to/thru the Cisco ASA to the inside interface and going to devices on the outside interface from Vlan 111.

DSterling_0-1718290495261.png

Ping Switch 3 source vlan 111 to FW Inside interface 11.185.20.2 and I get a lot of drops, but it's inconsistent, some times it will gets thru for 100 pings and a min later it will drop most if not all packets. I have tested this during low traffic times. 

Ping Switch 3 source vlan 109 to FW Inside interface 11.185.20.2 and I get  0 drops every time.

Ping from Switch 3 to Switch 1 - 11.185.20.1 with no drops every time.

Ping from Switch 2 to the FW Inside interface 11.185.20.2 and I get  0 drops every time.

There are no ACLs on the vlans or between Switch 3 and the FW.

Labels:
0 Helpful
9 Replies 9

Georg Pauwen
VIP
VIP

‎06-13-2024 09:43 AM

Hello,

tough one. Can you post the configs of all three switches as well as the ASA ? Maybe we can spot something...

DSterling
Level 1
Level 1
In response to Georg Pauwen

‎06-13-2024 09:49 AM

 

Georg, 

I can't post the configs, it's on a secure network. I noticed that the MTU size is 9000 and other vlans are 1500, I'm going to get approval to change and test and see if that's the issue. 

v/r Dave

Georg Pauwen
VIP
VIP
In response to DSterling

‎06-14-2024 02:24 AM

Hello,

maybe you can isolate the issue when you start pinging between Switch 3 and Switch 2, then between Switch 2 and Switch 1, then between Switch 2 and the ASA...?

0 Helpful

MHM Cisco World
VIP
VIP
In response to DSterling

‎06-14-2024 02:26 AM

MTU miss match can be issue here 
run 

show interface in ASA 

see if there is any Input drop 

MHM

0 Helpful

MHM Cisco World
VIP
VIP

‎06-13-2024 09:54 AM

asa# show nat pool <<- share this 
it can POOL dont have more port 

let check first 

MHM

0 Helpful

DSterling
Level 1
Level 1

‎06-17-2024 05:54 AM

I changed the MTU size to 1500 and also tried 9216 on vlan 111 and it did not fix the issue so I changed it back to 9000. I'm thinking it's something with the FW. 

0 Helpful

MHM Cisco World
VIP
VIP
In response to DSterling

‎06-17-2024 06:09 AM

Show nat pool 

Share this output from asa

MHM

0 Helpful

DSterling
Level 1
Level 1
In response to MHM Cisco World

‎06-17-2024 08:16 AM - edited ‎06-17-2024 08:16 AM

MHM we are not using NAT, no NAT rules are configured. 

Thank you,

Dave

MHM Cisco World
VIP
VIP
In response to DSterling

‎06-17-2024 08:34 AM

Ok' 

Show interface  <INside> 

Check if you see overrun counter increase rapidly 

Do command at least twice and check counter each time 

If you see it increase 

Then enable flow-control in INside interface 

MHM

0 Helpful
Customers Also Viewed These Support Documents