Hi guys,

i am facing the issue that a high amount of packets drop occour at the dmz interface of my ASA and result in a poor performace.
I think its due to overload this interface but i am not sure. I think these are caused by FIFO drops.  Maybe you could have a look and give me some hints.

A http webserver is behind the dmz interface and his one and only to-do is to deliver large downloads to a mobile device application.
 

Used:

ASA5520 with Software Version 9.1(2)

Interface:

Interface GigabitEthernet1/1 "dmz", is up, line protocol is up

  Hardware is VCS7380 rev01, BW 1000 Mbps, DLY 10 usec

            Auto-Duplex(Full-duplex), Auto-Speed(1000 Mbps)

            Input flow control is unsupported, output flow control is off

            Media-type configured as RJ45 connector

            MAC address e05f.b904.442f, MTU 1500

            IP address 194.XXX.XXX.XXX, subnet mask 255.255.255.248

            700818945 packets input, 533657238216 bytes, 0 no buffer

            Received 86031 broadcasts, 0 runts, 0 giants

            44542 input errors, 503 CRC, 0 frame, 44039 overrun, 0 ignored, 0 abort

            0 pause input, 0 resume input

            1 L2 decode drops

            633286935 packets output, 329190807035 bytes, 0 underruns

            0 pause output, 0 resume output

            0 output errors, 0 collisions, 0 interface resets

            0 late collisions, 0 deferred

            0 rate limit drops

            0 input reset drops, 0 output reset drops

            input queue (blocks free curr/low): hardware (0/0)   RX and TX are rings full???

            output queue (blocks free curr/low): hardware (0/0)

  Traffic Statistics for "dmz":

            694978423 packets input, 520532256773 bytes

            633334954 packets output, 317560628598 bytes

            1123842 packets dropped

      1 minute input rate 36 pkts/sec,  11542 bytes/sec

      1 minute output rate 40 pkts/sec,  20800 bytes/sec

      1 minute drop rate, 0 pkts/sec

      5 minute input rate 50 pkts/sec,  22335 bytes/sec

      5 minute output rate 55 pkts/sec,  33085 bytes/sec

      5 minute drop rate, 0 pkts/sec

---> The CRC Errors are solved by changing the wires. No Layer 2 issues anymore.

GigabitEthernet1/1:

            received (in 14459.120 secs):

                        1455190 packets     1357176600 bytes

                        100 pkts/sec 93268 bytes/sec

            transmitted (in 14459.120 secs):

                        1205554 packets     530192157 bytes

                        83 pkts/sec    36074 bytes/sec

      1 minute input rate 46 pkts/sec,  17419 bytes/sec

      1 minute output rate 55 pkts/sec,  30982 bytes/sec

      1 minute drop rate, 0 pkts/sec

      5 minute input rate 45 pkts/sec,  16497 bytes/sec

      5 minute output rate 52 pkts/sec,  27821 bytes/sec

      5 minute drop rate, 0 pkts/sec

---> Average packet size 100 / 93268 = 933 byte/packet

--> One minute average = 17419 / 46 = 379 byte/packet

Show blocks:

SIZE    MAX    LOW    CNT

     0    700    654    700

     4    300    299    299

    80   1155   1093   1154

   256   3636   3403   3628

  1550   9801   9264   9542

  2048   3100   3054   3100

  2560   2052   2051   2052

  4096    100     98    100

  8192    100     98    100

 16384    154    152    154

 65536     16     14     16

Show blocks interface:

 Memory Pool  SIZE  LIMIT/MAX     LOW     CNT  GLB:HELD     GLB:TOTAL

       DMA    2048        512       0     235         0         57096

 Memory Pool  SIZE  LIMIT/MAX     LOW     CNT  GLB:HELD     GLB:TOTAL

       DMA    1550       2560    1170    1537         0             0

Show conn count:

5791 in use, 10474 most used

Show resource usage:

Resource                 Current        Peak      Limit        Denied Context

Telnet                         0           2          5             0 System

SSH                            0           1          5             0 System

ASDM                           1           3         30             0 System

Syslogs [rate]               178        2493        N/A             0 System

Conns                       6142       10474     280000             0 System

Xlates                        38          51        N/A             0 System

Hosts                       4935        9566        N/A             0 System

Conns [rate]                 110        1405        N/A             0 System

Inspects [rate]                5         969        N/A             0 System

Routes                       119         150  unlimited             0 System

Show cpu

CPU utilization for 5 seconds = 12%; 1 minute: 16%; 5 minutes: 17%

Show perfmon

PERFMON STATS:                     Current      Average

Xlates                                0/s          0/s

Connections                          80/s          0/s

TCP Conns                            31/s          0/s

UDP Conns                            41/s          0/s

URL Access                            0/s          0/s

URL Server Req                        0/s          0/s

TCP Fixup                             0/s          0/s

TCP Intercept Established Conns       0/s          0/s

TCP Intercept Attempts                0/s          0/s

TCP Embryonic Conns Timeout           0/s          0/s

HTTP Fixup                            0/s          0/s

FTP Fixup                             0/s          0/s

AAA Authen                            0/s          0/s

AAA Author                            0/s          0/s

AAA Account                           0/s          0/s

VALID CONNS RATE in TCP INTERCEPT:    Current      Average

                                       N/A         707875.00%

I think the percentage is a cosmetic error!

Within the ASA logs i see a lot of FIN TIMEOUTS. Source my mobile device on port 50973 --> Destination the Webserver on Port 80.
Could i handle this issue by enabling flowcontrol? Which watermark values i should use? Or is the ASA with its specs not performant enough to process the traffic that occurs?

It would be nice if you could share your ideas.