Solved: Checking input/output/CRC errors on FTD interfaces

atsukane · ‎01-05-2024

Hi there,

Happy New Year to you all.

We started receiving MAC level error notifications from AWS.

We have a single fibre direct connect presented to a Cat9300 switch, this is split and connected to FTD-2140 active/standby HA pair.

I don't see any errors on the cat switch, and ISP has also confirmed not seeing any errors on their devices either.

However, on the FTD, I can't seem to see any error counters when I run "show interface <interface_name>" or "show interface ethernet 1/n" commands. Even in the "show tech" outputs, the only interfaces that show input/output/CRC error counters are management and internal interfaces.

###########################

Interface Ethernet1/6 "", is up, line protocol is up
Hardware is EtherSVI, BW 1000 Mbps, DLY 10 usec
Available but not configured via nameif
Interface Ethernet1/6.3 "AWS_1", is up, line protocol is up
Hardware is EtherSVI, BW 1000 Mbps, DLY 10 usec
VLAN identifier 3
Description: 1Gb AWS Direct Circuit
MAC address eeee.3333.a123, MTU 1500
IP address 192.168.100.3, subnet mask 255.255.255.0
Control Point Interface States:
Interface number is 29
Interface config status is active
Interface state is active
Control Point Vlan3 States:
Interface vlan config status is active
Interface vlan state is UP

###########################

Are there any ways of seeing error counters on FTD so that I can determine the issue is not related to the devices we manage onprem?

FMC and FTD are both running 7.2.4.

Thanks,

tvotna · ‎01-10-2024

Example:

FW /eth-uplink/fabric # scope int 1 5
FW /eth-uplink/fabric/interface # show stats

Ether Error Stats:
Time Collected: 2024-01-10T15:48:40.864
Monitored Object: sys/switch-A/slot-1/switch-ether/port-5/err-stats
Suspect: No
Rcv (errors): 0
Align (errors): 0
Fcs (errors): 0
Xmit (errors): 0
Under Size (errors): 0
Out Discard (errors): 0
Deferred Tx (errors): 0
Int Mac Tx (errors): 0
Int Mac Rx (errors): 0
Thresholded: Xmit Delta Min

Ether Loss Stats:
Time Collected: 2024-01-10T15:48:40.864
Monitored Object: sys/switch-A/slot-1/switch-ether/port-5/loss-stats
Suspect: No
Single Collision (errors): 0
Multi Collision (errors): 0
Late Collision (errors): 0
Excess Collision (errors): 0
Carrier Sense (errors): 0
Giants (errors): 0
Symbol (errors): 0
SQE Test (errors): 0
Thresholded: 0

Ether Pause Stats:
Time Collected: 2024-01-10T15:48:40.864
Monitored Object: sys/switch-A/slot-1/switch-ether/port-5/pause-stats
Suspect: No
Recv Pause (pause): 0
Xmit Pause (pause): 0
Resets (resets): 0
Thresholded: 0

Ether Rx Stats:
Time Collected: 2024-01-10T15:48:40.864
Monitored Object: sys/switch-A/slot-1/switch-ether/port-5/rx-stats
Suspect: No
Total Packets (packets): 297523080
Unicast Packets (packets): 269895781
Multicast Packets (packets): 27627299
Broadcast Packets (packets): 0
Total Bytes (bytes): 44607393770
Jumbo Packets (packets): 4855313
Thresholded: 0

Ether Tx Stats:
Time Collected: 2024-01-10T15:48:40.864
Monitored Object: sys/switch-A/slot-1/switch-ether/port-5/tx-stats
Suspect: No
Total Packets (packets): 93245405
Unicast Packets (packets): 93245402
Multicast Packets (packets): 0
Broadcast Packets (packets): 3
Total Bytes (bytes): 6299227124
Jumbo Packets (packets): 0
Thresholded: 0

View solution in original post

Marius Gunnerud · ‎01-10-2024

this information can be found in FXOS. For example if the interface you want to check is Eth1/6 then you would issue the following commands.

connect fxos
scope eth-uplink
scope fabric a
scope interface 1 6
show stats

--
Please remember to select a correct answer and rate helpful posts

View solution in original post

MHM Cisco World · ‎01-05-2024

can you check both FTD outside interface ?
check if MAC is same or not
MHM

atsukane · ‎01-05-2024

Thanks @MHM Cisco World for the prompt response.

we've set virtual MACs via FMC, and the interface where AWS DX is connected to have different MAC address, active unit with MAC ending a123 and standby ending b123.

AWS notifications are received at random and no FTD failover events.

MHM Cisco World · ‎01-05-2024

I check
show interface x
show more detail that you share
what is FTD mode you run this command from ?
MHM

atsukane · ‎01-09-2024

HI @MHM Cisco World

I've run show interface xx on in FTD mode and system support diagnostic-cli mode, and both the same, no error counters.

Thanks,

tvotna · ‎01-09-2024

You need to connect to FXOS: "connect fxos": https://www.cisco.com/c/en/us/td/docs/security/firepower/2100/troubleshoot_fxos/b_2100_CLI_Troubleshoot/about_the_firepower_2100_security_appliance_cli.html

https://www.cisco.com/c/en/us/td/docs/security/firepower/2100/troubleshoot_fxos/b_2100_CLI_Troubleshoot/fxos_cli_troubleshooting_commands.html#concept_rc2_pmk_smb

atsukane · ‎01-10-2024

Thanks @tvotna

tried eth-uplink mode, "show interface Ethernet1/6" just tells you the state:

Ethernet1/6 Data Enabled Up Unknown 0 Up

"show interface detail" don't show error counters either, and the "show stats" shows errors but for port-channels only it seems.

Port Name: Ethernet1/6
User Label:
Port Type: Data
Admin State: Enabled
Oper State: Up
State Reason: Up
flow control policy: default
Auto negotiation: Yes
Admin Speed: 1 Gbps
Oper Speed: 1 Gbps
Admin Duplex: Full Duplex
Oper Duplex: Full Duplex
Admin Fec: Auto
Oper Fec: Indeterminate
Ethernet Link Profile name: default
Oper Ethernet Link Profile name: fabric/lan/eth-link-prof-default
Udld Oper State: Unknown
Inline Pair Admin State: Enabled
Inline Pair Peer Port Name:
Network Control Policy: default
Current Task:

tvotna · ‎01-10-2024

Example:

FW /eth-uplink/fabric # scope int 1 5
FW /eth-uplink/fabric/interface # show stats

Ether Error Stats:
Time Collected: 2024-01-10T15:48:40.864
Monitored Object: sys/switch-A/slot-1/switch-ether/port-5/err-stats
Suspect: No
Rcv (errors): 0
Align (errors): 0
Fcs (errors): 0
Xmit (errors): 0
Under Size (errors): 0
Out Discard (errors): 0
Deferred Tx (errors): 0
Int Mac Tx (errors): 0
Int Mac Rx (errors): 0
Thresholded: Xmit Delta Min

Ether Loss Stats:
Time Collected: 2024-01-10T15:48:40.864
Monitored Object: sys/switch-A/slot-1/switch-ether/port-5/loss-stats
Suspect: No
Single Collision (errors): 0
Multi Collision (errors): 0
Late Collision (errors): 0
Excess Collision (errors): 0
Carrier Sense (errors): 0
Giants (errors): 0
Symbol (errors): 0
SQE Test (errors): 0
Thresholded: 0

Ether Pause Stats:
Time Collected: 2024-01-10T15:48:40.864
Monitored Object: sys/switch-A/slot-1/switch-ether/port-5/pause-stats
Suspect: No
Recv Pause (pause): 0
Xmit Pause (pause): 0
Resets (resets): 0
Thresholded: 0

Ether Rx Stats:
Time Collected: 2024-01-10T15:48:40.864
Monitored Object: sys/switch-A/slot-1/switch-ether/port-5/rx-stats
Suspect: No
Total Packets (packets): 297523080
Unicast Packets (packets): 269895781
Multicast Packets (packets): 27627299
Broadcast Packets (packets): 0
Total Bytes (bytes): 44607393770
Jumbo Packets (packets): 4855313
Thresholded: 0

Ether Tx Stats:
Time Collected: 2024-01-10T15:48:40.864
Monitored Object: sys/switch-A/slot-1/switch-ether/port-5/tx-stats
Suspect: No
Total Packets (packets): 93245405
Unicast Packets (packets): 93245402
Multicast Packets (packets): 0
Broadcast Packets (packets): 3
Total Bytes (bytes): 6299227124
Jumbo Packets (packets): 0
Thresholded: 0

atsukane · ‎01-10-2024

Thank you @tvotna, that's worked.

I thought that "scope interface 1/6" would show me the Ethernet 1/6 but didn't accept it so used "scope interface 1 6" and seems to be showing the correct interface.

No errors by the look of things so all is well. Thanks again.

UKLON1FW1 /eth-uplink/fabric # scope interface
1-5 Slot ID
n/n Ethernet<Slot Id>/<Port Id>

UKLON1FW1 /eth-uplink/fabric # scope interface 1/6
^
% Invalid Value at '^' marker, Accepted value is: 1-5
UKLON1FW1 /eth-uplink/fabric # scope interface 1 6
UKLON1FW1 /eth-uplink/fabric/interface # show stats

Ether Error Stats:
Time Collected: 2024-01-10T14:35:06.184
Monitored Object: sys/switch-A/slot-1/switch-ether/port-6/err-stats
Suspect: No
Rcv (errors): 0
Align (errors): 0
Fcs (errors): 0
Xmit (errors): 0
Under Size (errors): 0
Out Discard (errors): 0
Deferred Tx (errors): 0
Int Mac Tx (errors): 0
Int Mac Rx (errors): 0
Thresholded: Xmit Delta Min

Ether Loss Stats:
Time Collected: 2024-01-10T14:35:06.184
Monitored Object: sys/switch-A/slot-1/switch-ether/port-6/loss-stats
Suspect: No
Single Collision (errors): 0
Multi Collision (errors): 0
Late Collision (errors): 0
Excess Collision (errors): 0
Carrier Sense (errors): 0
Giants (errors): 0
Symbol (errors): 0
SQE Test (errors): 0
Thresholded: 0

Ether Pause Stats:
Time Collected: 2024-01-10T14:35:06.184
Monitored Object: sys/switch-A/slot-1/switch-ether/port-6/pause-stats
Suspect: No
Recv Pause (pause): 0
Xmit Pause (pause): 0
Resets (resets): 0
Thresholded: 0

Ether Rx Stats:
Time Collected: 2024-01-10T14:35:06.184
Monitored Object: sys/switch-A/slot-1/switch-ether/port-6/rx-stats
Suspect: No
Total Packets (packets): 17537417495
Unicast Packets (packets): 17532744557
Multicast Packets (packets): 4665316
Broadcast Packets (packets): 7622
Total Bytes (bytes): 2691809904919
Jumbo Packets (packets): 57018985388
Thresholded: 0

Ether Tx Stats:
Time Collected: 2024-01-10T14:35:06.184
Monitored Object: sys/switch-A/slot-1/switch-ether/port-6/tx-stats
Suspect: No
Total Packets (packets): 58338878289
Unicast Packets (packets): 58338878244
Multicast Packets (packets): 0
Broadcast Packets (packets): 45
Total Bytes (bytes): 81503759082772
Jumbo Packets (packets): 0
Thresholded: 0
UKLON1FW1 /eth-uplink/fabric/interface #

MHM Cisco World · ‎01-10-2024

so Now we see error counter why AWS notify you about the MAC level ?
did you get answer from AWS
MHM

Marius Gunnerud · ‎01-10-2024

if you want to use the / format for the interface definition you would need the command to be the following

scope interface Ethernet1/6

--
Please remember to select a correct answer and rate helpful posts

atsukane · ‎01-10-2024

Perfect, thank you. confirmed "scope interface Ethernet1/6" and "scope interface 1 6" both works.

Marius Gunnerud · ‎01-10-2024

this information can be found in FXOS. For example if the interface you want to check is Eth1/6 then you would issue the following commands.

connect fxos
scope eth-uplink
scope fabric a
scope interface 1 6
show stats

--
Please remember to select a correct answer and rate helpful posts