Buy or Renew
Buy or Renew
Duo Security forums now LIVE! Get answers to all your Duo Security questions. Learn more
cancel
Turn on suggestions
Auto-suggest helps you quickly narrow down your search results by suggesting possible matches as you type.
Showing results for 
Search instead for 
Did you mean: 
cancel
Start a conversation
1328
Views
0
Helpful
2
Replies

ASA Overrun Errors & Packet Drops

ehayric1320
Level 1
Level 1

‎10-11-2021 12:18 PM - edited ‎10-11-2021 12:21 PM

Hello. I have a customer who has been complaining of slow internet. I have verified packet loss pinging out to the internet on a users machine. A packet capture also shows a fair amount of TCP retransmissions and Out of order packets. Upon further inspection I also saw packet loss pinging to the internet from the ASA outside interface (Gi0/0/0) which connect to the ISP. Looking at the outside interface I saw a large number of errors which were all overrun errors.

I cleared Gi0/0/0 and have seen the errors begin again - all overrun errors. After reading I have found this can be a buffer oversubscription issue. Looking at the 'sh asp drop' outputs I see a large number 'tcp-rstfin-ooo' drops along with 'tcp-not-syn' drops. I have not run a capture on the ASA yet because I want approval from customer first.

What do you guys think? Is this more likely and ASA hardware/software issue or is this an ISP issue? This is a 5525-X model and the customer circuit is 1Gb.

 

ASA# sh int gi0/0
Interface GigabitEthernet0/0 "outside", is up, line protocol is up
Hardware is i82574L rev00, BW 1000 Mbps, DLY 10 usec
Auto-Duplex(Full-duplex), Auto-Speed(1000 Mbps)
Input flow control is unsupported, output flow control is off
MAC address 843d.c6fb.13ff, MTU 1500
IP address 216.84.26.66, subnet mask 255.255.255.192
168042797 packets input, 170600460805 bytes, 0 no buffer
Received 23029 broadcasts, 0 runts, 0 giants
1330 input errors, 0 CRC, 0 frame, 1330 overrun, 0 ignored, 0 abort

ASA# sh asp drop
NAT-T keepalive message (natt-keepalive) 147
IPSEC tunnel is down (ipsec-tun-down) 2
SVC Module does not have a channel for reinjection (mp-svc-no-channel) 107
SVC Module does not have a session (mp-svc-no-session) 1028
SVC Module is in flow control (mp-svc-flow-control) 3519
Invalid TCP Length (invalid-tcp-hdr-length) 2
No valid adjacency (no-adjacency) 8
No route to host (no-route) 1941
Reverse-path verify failed (rpf-violated) 8761
Flow is denied by configured rule (acl-drop) 178741
Invalid SPI (np-sp-invalid-spi) 4
First TCP packet not SYN (tcp-not-syn) 25459
Bad TCP checksum (bad-tcp-cksum) 2
Bad TCP flags (bad-tcp-flags) 1
TCP failed 3 way handshake (tcp-3whs-failed) 1365
TCP RST/FIN out of order (tcp-rstfin-ooo) 58708
TCP SEQ in SYN/SYNACK invalid (tcp-seq-syn-diff) 48
TCP SYNACK on established conn (tcp-synack-ooo) 1687
TCP packet SEQ past window (tcp-seq-past-win) 1462
TCP RST/SYN in window (tcp-rst-syn-in-win) 227
TCP dup of packet in Out-of-Order queue (tcp-dup-in-queue) 3
TCP packet failed PAWS test (tcp-paws-fail) 28
Early security checks failed (security-failed) 179
Slowpath security checks failed (sp-security-failed) 300
IP option drop (invalid-ip-option) 111

ASA# sh run | i inspect
class-map inspection_default
match default-inspection-traffic
policy-map type inspect dns preset_dns_map
no tcp-inspection
class inspection_default
inspect dns preset_dns_map
inspect ftp
inspect rsh
inspect rtsp
inspect esmtp
inspect sqlnet
inspect skinny
inspect sunrpc
inspect xdmcp
inspect netbios
inspect tftp
inspect ip-options
inspect icmp
inspect icmp error
inspect h323 h225
inspect h323 ras
inspect sip

0 Helpful
2 Replies 2

balaji.bandi
Hall of Fame
Hall of Fame

‎10-11-2021 12:35 PM

Not an easy walk to solve this -- where is this interface connected,  does the ASA has an IPS module?

 

check any cable issue on first place (make sure there is no Physicals).

 

https://www.cisco.com/c/en/us/support/docs/security/asa-5500-x-series-next-generation-firewalls/115985-asa-overrun-product-tech-note-00.html

 

if possible try tweaking connection timeout

 

https://www.cisco.com/c/en/us/td/docs/security/asa/asa98/configuration/firewall/asa-98-firewall-config/conns-connlimits.html

 

 

BB

***** Rate All Helpful Responses *****

How to Ask The Cisco Community for Help

0 Helpful

ehayric1320
Level 1
Level 1
In response to balaji.bandi

‎10-11-2021 12:44 PM

This is a 5525-X so yes it has the IPS module. The interface connects to the ISP router as far as I know. I am assisting remotely but can suggest replacing the cable. I would expect to see CRC type error if it was a physical issue.

I am seeing these issues on a users machine as soon as they initiate the connection to the internet (Office 365 for example) so I am not sure how increasing connection timeout from the 1 hour default would help but I can suggest it.

0 Helpful
Customers Also Viewed These Support Documents
Review Cisco Networking for a $25 gift card