Buy or Renew
Buy or Renew
cancel
Turn on suggestions
Auto-suggest helps you quickly narrow down your search results by suggesting possible matches as you type.
Showing results for 
Search instead for 
Did you mean: 
cancel
Start a conversation
4609
Views
0
Helpful
18
Replies

Cisco 5505 Dropping Packets

Go to solution
ashley_dew
Level 1
Level 1

‎08-19-2010 07:38 AM - edited ‎03-04-2019 09:29 AM

Hi,

I have a Cisco 5505, and I am having problem pinging the gateway on the outside. If was working fine when i just installed it and  then stopped after a few hours.

I can see large number of 1334 switch ingress policy drops now.

The outside interface is connected to a Cisco Catalyst 2960G, with a vlan created between the gateway and the asa outside interface.

Gio/1 -vlan34 ---> service provider

gi0/2 -vlan 34 ---> asa 5505 outside e0/0 interface.

Gi0/3 -vlan 34 --> router

gi0/4 - vlan 34 --> PIX

The pix and router can ping the sp gateway with no problem.

Here is the interface configuration on the asa 5505

interface Vlan1
nameif inside
security-level 100
ip address 10.102.246.71 255.255.255.240
!
interface Vlan2
nameif outside
security-level 0
ip address xxxxxx 255.255.255.248

interface Ethernet0/0
switchport access vlan 2
!
interface Ethernet0/1

FW# sh int e0/0
Interface Ethernet0/0 "", is up, line protocol is up
  Hardware is 88E6095, BW 100 Mbps
        Auto-Duplex(Full-duplex), Auto-Speed(100 Mbps)
        Available but not configured via nameif
        MAC address 0025.45fd.e466, MTU not set
        IP address unassigned
        1910 packets input, 141491 bytes, 0 no buffer
        Received 56 broadcasts, 0 runts, 0 giants
        0 input errors, 0 CRC, 0 frame, 0 overrun, 0 ignored, 0 abort
        0 L2 decode drops
        1334 switch ingress policy drops
        4 packets output, 256 bytes, 0 underruns
        0 output errors, 0 collisions, 0 interface resets
        0 babbles, 0 late collisions, 0 deferred
        0 lost carrier, 0 no carrier
        0 rate limit drops
        0 switch egress policy drops
FW-#

I have checked there is no port security on the switch or the port is err-disabled on the switch.

Both ports on switch and asa are auto sensing and there is no problem of mismatch since there are no CRC.

Please help.

Thanks,

Ashley

Labels:
70727-sh ver.txt.zip
0 Helpful
18 Replies 18

Go to solution
ashley_dew
Level 1
Level 1
In response to manish arora

‎08-21-2010 08:21 AM

Hi All,

I got the same problem, i have checked the MAC address of the vlan 1,and 36 inside and outside seems to be the same.

Anyways, I finally got it working by removing the vlans on the switchs to which is connected the inside and outside ASA 5505.

I am still encountering egress policy drops. The weird thing is that I cannot ping any interface though other trafic smtp ftp ssh is working. icmp is enable on the interface and I have also created an Acl to permit ICMP on the outside interface.

I will manage with that.  Thanks guys for the support.

Ashley

0 Helpful

Go to solution
Nagaraja Thanthry
Cisco Employee
Cisco Employee
In response to ashley_dew

‎08-21-2010 08:24 AM

Hello,

Can you try issuing the following command:

icmp permit any outside

Regards,

NT

0 Helpful

Go to solution
ashley_dew
Level 1
Level 1
In response to Nagaraja Thanthry

‎08-21-2010 08:38 AM

HI,


I have tried that.

I have also added for good measur, still nothing.

access-list outside01 permit icmp any any

acces-group outside01 in interface outside.

Thx,

Ashley

0 Helpful

Go to solution
Nagaraja Thanthry
Cisco Employee
Cisco Employee
In response to ashley_dew

‎08-21-2010 08:43 AM

Hello,

Ok, lets do one thing.. put a capture on the outside interface and see what

is happening with those ICMP packets.

access-list cap permit icmp any any

capture capout access-list cap interface outside

Please configure above two lines on the firewall, then try to ping somebody

on the outside. After it fails, please collect the output of "show capture

capout" and post it here.

Regards,

NT

0 Helpful
Customers Also Viewed These Support Documents