10-11-2021 12:18 PM - edited 10-11-2021 12:21 PM
Hello. I have a customer who has been complaining of slow internet. I have verified packet loss pinging out to the internet on a users machine. A packet capture also shows a fair amount of TCP retransmissions and Out of order packets. Upon further inspection I also saw packet loss pinging to the internet from the ASA outside interface (Gi0/0/0) which connect to the ISP. Looking at the outside interface I saw a large number of errors which were all overrun errors.
I cleared Gi0/0/0 and have seen the errors begin again - all overrun errors. After reading I have found this can be a buffer oversubscription issue. Looking at the 'sh asp drop' outputs I see a large number 'tcp-rstfin-ooo' drops along with 'tcp-not-syn' drops. I have not run a capture on the ASA yet because I want approval from customer first.
What do you guys think? Is this more likely and ASA hardware/software issue or is this an ISP issue? This is a 5525-X model and the customer circuit is 1Gb.
ASA# sh int gi0/0
Interface GigabitEthernet0/0 "outside", is up, line protocol is up
Hardware is i82574L rev00, BW 1000 Mbps, DLY 10 usec
Auto-Duplex(Full-duplex), Auto-Speed(1000 Mbps)
Input flow control is unsupported, output flow control is off
MAC address 843d.c6fb.13ff, MTU 1500
IP address 216.84.26.66, subnet mask 255.255.255.192
168042797 packets input, 170600460805 bytes, 0 no buffer
Received 23029 broadcasts, 0 runts, 0 giants
1330 input errors, 0 CRC, 0 frame, 1330 overrun, 0 ignored, 0 abort
ASA# sh asp drop
NAT-T keepalive message (natt-keepalive) 147
IPSEC tunnel is down (ipsec-tun-down) 2
SVC Module does not have a channel for reinjection (mp-svc-no-channel) 107
SVC Module does not have a session (mp-svc-no-session) 1028
SVC Module is in flow control (mp-svc-flow-control) 3519
Invalid TCP Length (invalid-tcp-hdr-length) 2
No valid adjacency (no-adjacency) 8
No route to host (no-route) 1941
Reverse-path verify failed (rpf-violated) 8761
Flow is denied by configured rule (acl-drop) 178741
Invalid SPI (np-sp-invalid-spi) 4
First TCP packet not SYN (tcp-not-syn) 25459
Bad TCP checksum (bad-tcp-cksum) 2
Bad TCP flags (bad-tcp-flags) 1
TCP failed 3 way handshake (tcp-3whs-failed) 1365
TCP RST/FIN out of order (tcp-rstfin-ooo) 58708
TCP SEQ in SYN/SYNACK invalid (tcp-seq-syn-diff) 48
TCP SYNACK on established conn (tcp-synack-ooo) 1687
TCP packet SEQ past window (tcp-seq-past-win) 1462
TCP RST/SYN in window (tcp-rst-syn-in-win) 227
TCP dup of packet in Out-of-Order queue (tcp-dup-in-queue) 3
TCP packet failed PAWS test (tcp-paws-fail) 28
Early security checks failed (security-failed) 179
Slowpath security checks failed (sp-security-failed) 300
IP option drop (invalid-ip-option) 111
ASA# sh run | i inspect
class-map inspection_default
match default-inspection-traffic
policy-map type inspect dns preset_dns_map
no tcp-inspection
class inspection_default
inspect dns preset_dns_map
inspect ftp
inspect rsh
inspect rtsp
inspect esmtp
inspect sqlnet
inspect skinny
inspect sunrpc
inspect xdmcp
inspect netbios
inspect tftp
inspect ip-options
inspect icmp
inspect icmp error
inspect h323 h225
inspect h323 ras
inspect sip
10-11-2021 12:35 PM
Not an easy walk to solve this -- where is this interface connected, does the ASA has an IPS module?
check any cable issue on first place (make sure there is no Physicals).
if possible try tweaking connection timeout
10-11-2021 12:44 PM
This is a 5525-X so yes it has the IPS module. The interface connects to the ISP router as far as I know. I am assisting remotely but can suggest replacing the cable. I would expect to see CRC type error if it was a physical issue.
I am seeing these issues on a users machine as soon as they initiate the connection to the internet (Office 365 for example) so I am not sure how increasing connection timeout from the 1 hour default would help but I can suggest it.
Discover and save your favorite ideas. Come back to expert answers, step-by-step guides, recent topics, and more.
New here? Get started with these tips. How to use Community New member guide