Buy or Renew
Buy or Renew
cancel
Turn on suggestions
Auto-suggest helps you quickly narrow down your search results by suggesting possible matches as you type.
Showing results for 
Search instead for 
Did you mean: 
cancel
Start a conversation
6835
Views
0
Helpful
3
Replies

ASA5510 High Drop Packet Count on the Inside Interface

Go to solution
pootboy69
Level 1
Level 1

‎04-26-2011 01:34 PM - edited ‎02-21-2020 04:19 AM

We have been experiencing some issues with occasional dropped connections to VPN clients. In investgating, we used the mtr utility to trace from inside out LAN to an external host. The first-hop packet loss (from the host to the ASA) seemed excessive, sometimes reaching 50%. The only thing between the host and the ASA is a gigabit switch. A ping flood from the same host to the same destinations show a 0% packet loss.

Looking at the inside interface, using the ASDM Interface Grapher for Drop Packet Count shows a nearly consistent 510-512 Kpackets lost.

What can cause thie? Can this be mitigated by reconfiguring the Interface from Auto/Auto to 1000/Full? Where do I begin finding the source of this packet drop, and is it real or some artifact of the ASA firmware?

0 Helpful
1 Accepted Solution

Accepted Solutions

Go to solution
sean_evershed
Level 7
Level 7

‎04-27-2011 01:21 AM

I read somewhere that Cisco recommends that the connection between the switch and firewall should be  set to auto / auto.


Find below a troubleshooting guide for interface errors on the ASA:

https://supportforums.cisco.com/docs/DOC-12439

Ther inside switch is healthy with no errors?

Find below a troubleshooting guide for VPN problems. Check to see if there are any error logs on the client when their connection drops.

If the problem can be replicated check for error logs on the ASA as well.

http://www.cisco.com/en/US/products/ps6120/products_tech_note09186a00807e0aca.shtml

Please remember to rate helpful posts.

View solution in original post

0 Helpful
3 Replies 3

Go to solution
sean_evershed
Level 7
Level 7

‎04-27-2011 01:21 AM

I read somewhere that Cisco recommends that the connection between the switch and firewall should be  set to auto / auto.


Find below a troubleshooting guide for interface errors on the ASA:

https://supportforums.cisco.com/docs/DOC-12439

Ther inside switch is healthy with no errors?

Find below a troubleshooting guide for VPN problems. Check to see if there are any error logs on the client when their connection drops.

If the problem can be replicated check for error logs on the ASA as well.

http://www.cisco.com/en/US/products/ps6120/products_tech_note09186a00807e0aca.shtml

Please remember to rate helpful posts.

0 Helpful

Go to solution
pootboy69
Level 1
Level 1
In response to sean_evershed

‎04-27-2011 09:29 AM

Thank you for your response!

I've investigated this, using many of the tools you suggested, and have come to the conclusion that it has to be the "mtr" utility that is the culprit. I get consistent relies to the inside interface and to the ASA default gateway of less than 1ms. The ASDM reports that cumulative packet loss over the last two days is less that 10. There have been no errors on the ASA inside interface reported since last Friday.

Regards,

Wolf

0 Helpful

Go to solution
sean_evershed
Level 7
Level 7
In response to pootboy69

‎04-27-2011 06:43 PM

Thanks Wolf for the feedback and for the rating.

Cheers

Sean

0 Helpful
Customers Also Viewed These Support Documents
Review Cisco Networking for a $25 gift card