cancel
Showing results for 
Search instead for 
Did you mean: 
cancel
3329
Views
0
Helpful
9
Replies

packet drops on ASA firewall

csco11049253
Level 1
Level 1

We installed ASA 5520 firewall which is connected to the Internet with NAT/PAT enabled but we started receiving complains about slow browsing. On checking the inside interface of the firewall it displays enormous number of packet drops!!!! Although the 5min input/output ratio shows a traffic not more than 500Kbits/sec.

I've cleared the interface to see the rate of drops. the rate of drops seems to be increasing exponentially.

Have anyone came across such a problem? Pls advise...

Thanks,

CM

9 Replies 9

Hi,

Did you check the speed and duplex mode of the switch port on which the ASA's interface is attached?

It may be a problem regarding the speed and duplex mode.

Best regards.

Massimiliano.

It is 1000Mbps full-duplex on both sides, ASA firewall as well as core switch..

Is any software installed for syslogs, if not then I would advice you install it Firewall Log Analyzer of Adventnet and it would be easy to judge where the traffic is coming from.

Can you post your Network Diagram then it would be easy to troubleshoot it.

I would be doing that tomorrow morning, meanwhile just to give u an idea of the setup.

ASA Outside IP address: 212.76.x.x

ASA inside IP address: 10.0.5.1

Routes are added to the ASA firewall for reachability tp subnets behind Inside interface.

Default route is added to the core switch -> 0 0 10.0.5.1

Core switch SVI: 10.0.5.252

Server vlan 10.0.0.0/24... where these IP's are static NATed on asa firewall

Server vlan SVI: 10.0.10.252/24

10.0.0.2 <-> 212.x.y.a - exchange

10.0.0.3 <-> 212.x.y.b - owa

PAT enabled with interface ip

10.0.0.6 <-> 212.x.y.c - proxy

10.0.0.8 <-> 212.x.y.c - blackberry

User vlan are vlan 3,4,6,7,8,9,10 with corresponding svi's configured on the core.

Now the traffic source for ASA firewall is basically from the servers specified and I have observed that these interface doesn't have high volume of traffic infact less than 1 mb each, and the ASA vlan doesn't have any other end user except the access switches with managment ip's only!!

Aaahh!!! I'm not sure why these packet drops are occuring.....

I'll see if any valuable inputs come in from users from netpro community.

What is a version of ASA OS. If you are using an old version then I would advice you to upgrade it into 8.04 the latest one.

there could be a number of reasons for packet drops, but if you can you post complete output of show interface inside to see, what are your other interfaces stats are they clean such as outside interface etc.., how about the switchport the ASA interface inside is connected to, can u post output of show interface from switch side?

even though you have hardcoded both sides does not rule out the posibility of a bad

cable, any CRCs, runs, giants on switchport side?

u may also issue show asp drop in firewall

see table 25-2 for specs on this command

http://www.cisco.com/en/US/docs/security/asa/asa71/command/reference/s2_711.html#wp1116367

show service-pilicy output to rule out any service policy may be causing drops,

last but not least go through the normal performance check list here http://www.cisco.com/en/US/products/hw/vpndevc/ps2030/products_tech_note09186a008009491c.shtml

regards

Jorge Rodriguez

Continuing with the packet drops issue... See the number of underruns on the interfaces

Interface GigabitEthernet0/1 "inside", is up, line protocol is up

Hardware is i82546GB rev03, BW 1000 Mbps, DLY 10 usec

Auto-Duplex(Full-duplex), Auto-Speed(1000 Mbps)

Description: *****Connected to Core switch*****

MAC address 001e.be79.7957, MTU 1500

IP address 10.0.5.1, subnet mask 255.255.254.0

4114739 packets input, 1292642813 bytes, 0 no buffer

Received 2514 broadcasts, 0 runts, 0 giants

0 input errors, 0 CRC, 0 frame, 0 overrun, 0 ignored, 0 abort

0 L2 decode drops

4016064 packets output, 3095325439 bytes, 1805 underruns

0 output errors, 0 collisions, 0 interface resets

0 late collisions, 0 deferred

0 input reset drops, 0 output reset drops

input queue (curr/max packets): hardware (0/25) software (0/0)

output queue (curr/max packets): hardware (0/255) software (0/0)

Traffic Statistics for "inside":

4114739 packets input, 1207986967 bytes

4017869 packets output, 3017572869 bytes

78650 packets dropped

1 minute input rate 101 pkts/sec, 15968 bytes/sec

1 minute output rate 156 pkts/sec, 23251 bytes/sec

1 minute drop rate, 0 pkts/sec

5 minute input rate 31 pkts/sec, 3199 bytes/sec

5 minute output rate 30 pkts/sec, 29771 bytes/sec

5 minute drop rate, 0 pkts/sec

Can you post output from asa

show asp drop

show service-policy

Jorge Rodriguez

alex.rosa
Level 1
Level 1

Have you checked your appliance memory usage?

show memory

show processes memory

Review Cisco Networking for a $25 gift card