Buy or Renew
Buy or Renew
cancel
Turn on suggestions
Auto-suggest helps you quickly narrow down your search results by suggesting possible matches as you type.
Showing results for 
Search instead for 
Did you mean: 
cancel
Start a conversation
494
Views
0
Helpful
2
Replies

Packet dropped in ASA interfaces

bensonlei
Level 1
Level 1

‎06-25-2018 11:36 PM - edited ‎02-21-2020 07:54 AM

We have ASA 5545-X firewall pair in LAN network, and found lots of packet dropped in each interface ( the following counters are reset every morning for investigation), as below:

Interface GigabitEthernet1/0 "users", is up, line protocol is up
  Hardware is i82576F rev01, BW 1000 Mbps, DLY 1000 usec
 (Full-duplex), 1000 Mbps(1000 Mbps)
 Input flow control is unsupported, output flow control is off

628415157 packets input, 718417012211 bytes, 0 no buffer
 Received 73 broadcasts, 0 runts, 0 giants
 .....................
 327194378 packets output, 280633649724 bytes, 0 underruns
 .....................
  Traffic Statistics for "users":
 628415153 packets input, 706634816920 bytes
 327194378 packets output, 274259325238 bytes
 300365 packets dropped
      1 minute input rate 7182 pkts/sec,  983642 bytes/sec
      1 minute output rate 21990 pkts/sec,  28999034 bytes/sec
      1 minute drop rate, 14 pkts/sec
      5 minute input rate 3620 pkts/sec,  731810 bytes/sec
      5 minute output rate 6948 pkts/sec,  7747108 bytes/sec
      5 minute drop rate, 15 pkts/sec

Interface GigabitEthernet1/1 "vlan1", is up, line protocol is up
  Hardware is i82576F rev01, BW 1000 Mbps, DLY 1000 usec
 (Full-duplex), 1000 Mbps(1000 Mbps)
 Input flow control is unsupported, output flow control is off
 ...................
 3709153427 packets input, 4231993670446 bytes, 0 no buffer
 Received 2946230 broadcasts, 0 runts, 0 giants
.............................
 3743225801 packets output, 4211235321046 bytes, 0 underruns
 ............................
  Traffic Statistics for "vlan1":
 118274767 packets input, 153379837882 bytes
 32079207 packets output, 5847325514 bytes
 33386 packets dropped
      1 minute input rate 1922 pkts/sec,  2475670 bytes/sec
      1 minute output rate 921 pkts/sec,  92641 bytes/sec
      1 minute drop rate, 1 pkts/sec
      5 minute input rate 895 pkts/sec,  1004171 bytes/sec
      5 minute output rate 520 pkts/sec,  101586 bytes/sec
      5 minute drop rate, 1 pkts/sec

 

Interface GigabitEthernet1/1.169 "vlan169", is up, line protocol is up
  Hardware is i82576F rev01, BW 1000 Mbps, DLY 1000 usec
 VLAN identifier 169
 Traffic Statistics for "vlan169":
 1396663 packets input, 232877131 bytes
 1347307 packets output, 1377419222 bytes
 132616 packets dropped

 

Interface GigabitEthernet1/1.261 "vlan261", is up, line protocol is up
  Hardware is i82576F rev01, BW 1000 Mbps, DLY 1000 usec
 VLAN identifier 261
   Traffic Statistics for "vlan261":
 3578891 packets input, 1241639927 bytes
 4083447 packets output, 1785864313 bytes
 127308 packets dropped

 

 

 

 

Interface GigabitEthernet1/2 "", is up, line protocol is up
  Hardware is i82576F rev01, BW 1000 Mbps, DLY 1000 usec
 (Full-duplex), 1000 Mbps(1000 Mbps)
 Input flow control is unsupported, output flow control is off
 
 66111356 packets input, 4808097485 bytes, 0 no buffer
 Received 671084 broadcasts, 0 runts, 0 giants
 ...................
 324571395 packets output, 462270967911 bytes, 0 underruns
 ...............

Interface GigabitEthernet1/2.15 "vlan15", is up, line protocol is up
  Hardware is i82576F rev01, BW 1000 Mbps, DLY 1000 usec
 VLAN identifier 15
 .......................
  Traffic Statistics for "vlan15":
 69304291 packets input, 5616912963 bytes
 327177069 packets output, 456823365866 bytes
 495391 packets dropped

.................................................................................................................................

 

Any suggestion/advice for improvement of the interfaces traffic :

1. Turn on flowcontrol in each interface ?

2. Split (VLANS) into more physical interfaces, in order to share LAN traffic

3. enlarge the interface input buffer/output buffer ?

 

Thanks a lot

Labels:
0 Helpful
2 Replies 2

Florin Barhala
Level 6
Level 6

‎06-26-2018 02:08 AM

So far I have only one suggestion: on the switch port used for trunking towards ASA, make sure you allow to the ASA ONLY the VLANs used by the firewall. This should reduce the noise.

Still there's Gi1/0 on your scenario that seems to use an access ports, right?
Can you share switch port config used to connect Gi1/0? Also can you share swich port statistics used by Gi1/0?
0 Helpful

bensonlei
Level 1
Level 1
In response to Florin Barhala

‎06-26-2018 08:38 AM

Thx for the help.

 

 

A Juniper switch connects to the ASA:

1. ASA G1/0 is access port.

2. ASA G1/1 is trunk port in Juniper switch, some VLANs are configured in ASA G1/1, like above:

    G1/1.160, G1/1.261, more than 10 vlans in Gi1/1 interface.

3. ASA G1/2 is also trunk port in Juniper switch, but there are two vlans in Gi1/2 interface.

 

0 Helpful
Customers Also Viewed These Support Documents
Review Cisco Networking for a $25 gift card