ASA 5505 Dropping Packets

rdingram21 · ‎09-21-2009

I am currently having an issue on a large home network that I need some help with. Just as a preface I have just acquired my CCNA but my experience in troubleshooting real world scenarios is nill. So I am hoping someone could nudge in the direction of good information to get me started in the troubleshooting process.

Here is the problem, at the core of the network we have a ASA 5505 that serves as the DHCP server. The router intermittentantly starts droping packets on VLan1, which is the interface that serves the IPs. Vlan2 is the outside interface which acquires its IP via DHCP. At the router even when packets are being dropped on the inside interface I can get out fine. e.g. I can ping outside hosts from the outside interface when no traffic is getting through from the inside. I will attach my config here along with a 'sho int vlan1 detail' to demonstrate.

Start 'sho int vlan1 detail'

[code]

Interface Vlan1 "inside", is up, line protocol is up

Hardware is EtherSVI

MAC address 001f.ca58.ee2f, MTU 1500

IP address 10.10.40.1, subnet mask 255.255.0.0

Traffic Statistics for "inside":

2600952 packets input, 224101620 bytes

2394181 packets output, 2628251475 bytes

539541 packets dropped

1 minute input rate 262 pkts/sec, 16150 bytes/sec

1 minute output rate 437 pkts/sec, 535764 bytes/sec

1 minute drop rate, 352 pkts/sec

5 minute input rate 164 pkts/sec, 8460 bytes/sec

5 minute output rate 275 pkts/sec, 335720 bytes/sec

5 minute drop rate, 278 pkts/sec

Control Point Interface States:

Interface number is 1

Interface config status is active

Interface state is active

[/code]

So I just am a little clueless on how to start the troubleshooting process. I would sincerely appreciate any mentoring or guidance.

Also please be gentle, I am really new to this.

Thanks!

nsn-amagruder · ‎09-21-2009

Drops on the logical interface can be denied packets. I wouldn't worry about this.

Check the physical interface stats and see if you are seeing drops there. If you do, check speed/duplex.

Interface Ethernet0/1 "", is up, line protocol is up

Hardware is 88E6095, BW 100 Mbps, DLY 100 usec

Auto-Duplex(Full-duplex), Auto-Speed(100 Mbps)

Available but not configured via nameif

MAC address 0023.eb6d.ac4c, MTU not set

IP address unassigned

4751038 packets input, 1029632688 bytes, 0 no buffer

Received 16221 broadcasts, 0 runts, 0 giants

0 input errors, 0 CRC, 0 frame, 0 overrun, 0 ignored, 0 abort

0 L2 decode drops

0 switch ingress policy drops

6439610 packets output, 5392606578 bytes, 0 underruns

0 output errors, 0 collisions, 0 interface resets

0 late collisions, 0 deferred

0 input reset drops, 0 output reset drops

0 rate limit drops

0 switch egress policy drops

rdingram21 · ‎09-21-2009

Here is the output from sho int e0/1.

Interface Ethernet0/1 "", is up, line protocol is up

Hardware is 88E6095, BW 100 Mbps

Auto-Duplex(Full-duplex), Auto-Speed(100 Mbps)

Available but not configured via nameif

MAC address 001f.ca58.ee28, MTU not set

IP address unassigned

4649345 packets input, 439883485 bytes, 0 no buffer

Received 717485 broadcasts, 0 runts, 0 giants

0 input errors, 0 CRC, 0 frame, 0 overrun, 0 ignored, 0 abort

0 L2 decode drops

623 switch ingress policy drops

5774668 packets output, 6711030630 bytes, 0 underruns

0 output errors, 0 collisions, 0 interface resets

0 babbles, 0 late collisions, 0 deferred

0 lost carrier, 0 no carrier

0 rate limit drops

0 switch egress policy drops

The switch ingress policy drops are caused by improperly tagged vlan packets I believe. This shouldn't have anything to do with speed/duplex if I understand correctly. Please correct me if I am incorrect.

The overall problem is that the users experience their internet connectivity basically drop during the times packets are being dropped on VLan1. Could the amount of filtered packets cause connectivity for everyone else to come to a halt. And also is there a way for me to monitor the packets that are being filtered so I can determine if they are all coming from the same host.

Thanks for any help!

nsn-amagruder · ‎09-21-2009

If I understand your original post, when host on the inside stop accessing the internet, a host on the external network/outside interface with a public ip can still access the internet.

Post a show version and show xlate. Anything show up in the log files at the same time this happens? Either while looking at the ASDM or via syslog.

How many host are behind the firewall?

Any Errors on the outside interface e0/0?

rdingram21 · ‎09-21-2009

That is correct, the outside interface is fine when everything else is down.

show version

----------------

Cisco Adaptive Security Appliance Software Version 7.2(3)

Device Manager Version 5.2(3)

Compiled on Wed 15-Aug-07 16:08 by builders

System image file is "disk0:/asa723-k8.bin"

Config file at boot was "startup-config"

creekridgeasa up 2 days 6 hours

Hardware: ASA5505, 256 MB RAM, CPU Geode 500 MHz

Internal ATA Compact Flash, 128MB

BIOS Flash M50FW080 @ 0xffe00000, 1024KB

Encryption hardware device : Cisco ASA-5505 on-board accelerator (revision 0x0)

Boot microcode : CNlite-MC-Boot-Cisco-1.2

SSL/IKE microcode: CNlite-MC-IPSEC-Admin-3.03

IPSec microcode : CNlite-MC-IPSECm-MAIN-2.04

0: Int: Internal-Data0/0 : address is 001f.ca58.ee2f, irq 11

1: Ext: Ethernet0/0 : address is 001f.ca58.ee27, irq 255

2: Ext: Ethernet0/1 : address is 001f.ca58.ee28, irq 255

3: Ext: Ethernet0/2 : address is 001f.ca58.ee29, irq 255

4: Ext: Ethernet0/3 : address is 001f.ca58.ee2a, irq 255

5: Ext: Ethernet0/4 : address is 001f.ca58.ee2b, irq 255

6: Ext: Ethernet0/5 : address is 001f.ca58.ee2c, irq 255

7: Ext: Ethernet0/6 : address is 001f.ca58.ee2d, irq 255

8: Ext: Ethernet0/7 : address is 001f.ca58.ee2e, irq 255

9: Int: Internal-Data0/1 : address is 0000.0003.0002, irq 255

10: Int: Not used : irq 255

11: Int: Not used : irq 255

Licensed features for this platform:

Maximum Physical Interfaces : 8

VLANs : 3, DMZ Restricted

Inside Hosts : Unlimited

Failover : Disabled

VPN-DES : Enabled

VPN-3DES-AES : Enabled

VPN Peers : 10

WebVPN Peers : 2

Dual ISPs : Disabled

VLAN Trunk Ports : 0

This platform has a Base license.

Serial Number: JMX1213Z0GF

Running Activation Key: 0xd114c978 0xe8ca9b42 0x44418194 0xb040f03c 0xc532a191

Configuration register is 0x1

Configuration last modified by enable_15 at 05:19:57.625 UTC Mon Sep 21 2009

show xlate

-----------------

104 in use, 576 most used

PAT Global 75.136.206.139(41785) Local 10.10.30.85(41795)

PAT Global 75.136.206.139(41786) Local 10.10.30.86(41795)

PAT Global 75.136.206.139(41787) Local 10.10.30.87(41795)

PAT Global 75.136.206.139(41788) Local 10.10.30.88(41795)

PAT Global 75.136.206.139(41789) Local 10.10.30.89(41795)

PAT Global 75.136.206.139(58002) Local 10.10.60.10(58002)

PAT Global 75.136.206.139(2001) Local 10.10.30.76(2001)

PAT Global 75.136.206.139(2002) Local 10.10.30.76(2002)

PAT Global 75.136.206.139(2003) Local 10.10.30.76(2003)

PAT Global 75.136.206.139(2175) Local 10.10.30.76(2175)

..

There are typically 70 to 90 hosts at a time behind the firewall. Most of the devices do not communicate to the outside though. Only about 20 access the internet.

sho interface e0/0

-----------------------

Interface Ethernet0/0 "", is up, line protocol is up

Hardware is 88E6095, BW 100 Mbps

Auto-Duplex(Full-duplex), Auto-Speed(100 Mbps)

Available but not configured via nameif

MAC address 001f.ca58.ee27, MTU not set

IP address unassigned

9404044 packets input, 7018293816 bytes, 0 no buffer

Received 3858515 broadcasts, 0 runts, 0 giants

0 input errors, 0 CRC, 0 frame, 0 overrun, 0 ignored, 0 abort

0 L2 decode drops

15 switch ingress policy drops

3542845 packets output, 305927247 bytes, 0 underruns

0 output errors, 0 collisions, 0 interface resets

0 babbles, 0 late collisions, 0 deferred

0 lost carrier, 0 no carrier

0 rate limit drops

0 switch egress policy drops

cuongtlam · ‎05-14-2014

Did you get a solution to this problem? I am having this issue too. I have a ASA 5585-x. My interfaces are less than 10% utilization so i don't think it is actually over subscribing.

Thanks