Buy or Renew
Buy or Renew
cancel
Turn on suggestions
Auto-suggest helps you quickly narrow down your search results by suggesting possible matches as you type.
Showing results for 
Search instead for 
Did you mean: 
cancel
Start a conversation
2434
Views
5
Helpful
3
Replies

Interface speed differences causing overruns/underruns on ASA5520

swharvey
Level 3
Level 3

‎01-25-2007 05:24 PM - edited ‎03-11-2019 02:24 AM

We are running an ASA5520 on 7.2 (2) code and are experiencing underruns/overruns on all 3 of our firewall interfaces. The speed and duplex settings are correct and there are no collisions, input or output errors. Below are the interface definitions and I believe that this problem started when we increased the inside interface to Gig/full

Inside: Gig/full

Outside: 100Mb/full

DMZ: 100Mb/full

The Outside and DMZ interfaces are hard coded, as our the Cisco devices they attach to. The Inside interface is set to auto/full duplex.

All Cisco network devices connected to each of the ASA interfaces match the speeds/duplex settings, and there are no collisions, input/output errors, or runts, giants, or late collisions.

I think the inside interface set at Gig is causing the overruns/underruns. When the inside interface was set to 100Mb full, the overrun/underrun problem does not occur.

Thoughts on this?

(Background, we are in process of migrating to all Gig capable devices and the inside was our starting point. Eventually DMZ and Outside will be Gig cabpable).

Labels:
0 Helpful
3 Replies 3

swharvey
Level 3
Level 3

‎01-28-2007 11:07 PM

Anyone have a response to this inquiry?

0 Helpful

jgervia_2
Level 1
Level 1
In response to swharvey

‎01-30-2007 06:06 PM

Hello,

You are entirely correct. The buffers on the PIX are only so large, and you have one interface that is running at Gigabit speed, while the others are running at 100M. What happens is that you accept traffic from the gigabit interface, and then it has to be buffered because it's going out a 100M interface, which won't handle above that rate.

If once that buffer is filled up, packets get dropped and will have to be retransmitted.

This is a normal occurrence when you have speed mismatches between interfaces. Unless users are complaining about performance, the TCP retransmit mechanism should take care of this.

From the 'show interface' command in the command reference:

Overrun

The number of times that the security appliance was incapable of handing received data to a hardware buffer because the input rate exceeded the security appliance capability to handle the data.

--Jason

Please rate this message if it helped solve some/all of your question or issue.

swharvey
Level 3
Level 3
In response to jgervia_2

‎01-31-2007 11:01 AM

Hello Jason,

Thank you for the feedback on my inquiry. It is disheartening to hear that the ASA product line cannot run differnt interfaces at different speeds without causing overrun/underrun/no buffer errors. The rationale why this would be of value is clear in that scenario's exist whereby a 100Mb interface (i.e. DMZ) is communiticating capacity traffic (say 80mb) with a Gig interface (i.e. Inside). Having the inside interface configured at Gig speed allows the remaining 100Mb interface (i.e. Outside) to process traffic with the Inside interface up to port configured speed.

If, in this scenario, the inside Gig interface was configured at 100Mb to match the speeds on all other interfaces, a transfer from the DMZ to the inside at port capacity (80Mb) would only allow 20Mb to be processed between the outside and the inside interfaces.

I have a TAC case open on this and am awaiting a response, as well as a feature request into our Cisco account team to review this capability. Sadly, Juniper is currently capable of supporting various speed interfaces today on their Netscreen product lines without issue.

-Scott

0 Helpful
Customers Also Viewed These Support Documents
Review Cisco Networking for a $25 gift card