cancel
Showing results for 
Search instead for 
Did you mean: 
cancel
2713
Views
0
Helpful
7
Replies

Help with underrun between an ASA5540 – ASA-SSM-20.

albert_coll
Level 1
Level 1

Hello,

I have an ASA5540 running V8.2.1 equipped with an ASA-SSM-20 running IPS-K9-6.2-2.

The ASA internal-data0/0 interface, aimed to communicate with the ASA-SSM-20 Gi0/1 interface exhibits some underrun errors increase.Physical outside and inside gigabit interfaces remain steady.

The ASA redirects all traffic through the SSM for inspection between the inside interface to or from the outside interface, where many IPSec tunnels terminate. I observed that most of the times the internal-data0/0 interface underruns increase precisely when a server located in the remote side of an specific L2L tunnel is transfering large FTP files (several Gb long) to an internal FTP server.


According with the documentation, underruns are the number of times that the transmitter ran faster than the adaptive security appliance could handle .  All this leads me to consider that the ASA is unable to handle bursty traffic to or from the SSM-20 module, thus some kind of QoS should be necessary.

I would really appreciate any idea of what to do to mitigate this effect.

Regards in advance.

Interface Internal-Data0/0 "", is up, line protocol is up
  Hardware is i82547GI rev00, BW 1000 Mbps, DLY 10 usec
        (Full-duplex), (1000 Mbps)
        MAC address 0000.0001.0002, MTU not set
        IP address unassigned
        2488409935 packets input, 1619369509464 bytes, 0 no buffer
        Received 0 broadcasts, 0 runts, 0 giants
        0 input errors, 0 CRC, 0 frame, 0 overrun, 0 ignored, 0 abort
        0 L2 decode drops
        2488409940 packets output, 1619369474024 bytes, 7719 underruns
        0 output errors, 0 collisions, 0 interface resets
        0 late collisions, 0 deferred
        0 input reset drops, 0 output reset drops
        input queue (blocks free curr/low): hardware (511/486)
        output queue (blocks free curr/low): hardware (511/0

7 Replies 7

Kureli Sankar
Cisco Employee
Cisco Employee

Check this out: https://supportforums.cisco.com/docs/DOC-13103

You are correct.

An Overrun is when an incoming (ingress) packet hits the PIX's NIC, and  the rx ring is full.  This is generally caused by elevated CPU, or cpu  hogs or infected hosts.

An Underrun is when part of the packet is in the tx ring, and the driver  starts transmitting it on the wire, but is unable to get the remaining  part of the packet by the time it has finished transmitting the first  part.

-KS