12-15-2015 01:28 AM - edited 03-08-2019 03:06 AM
Dear all,
I have a problem on the port-channel interface of my Cisco ASA 5506. I have no error on the 2 physical interfaces.
ASA 5506 => Po1 => Gi1/1 to core switch
=> Gi1/2 to core switch
=> Gi1/3 = GUEST to another network
Interfaces on Cisco ASA 5506 :
interface Port-channel1
description SR3548 vPC13
lacp max-bundle 8
nameif LAN
security-level 100
ip address 10.99.29.161 255.255.255.240
FW5506-01# show port-channel 1
Span-cluster port-channel: No
Ports: 2 Maxports = 32
Port-channels: 1 Max Port-channels = 48
Protocol: LACP/ active
Minimum Links: 1
Maximum Bundle: 8
Load balance: src-dst-ip
Interface Port-channel1 "LAN", is up, line protocol is up
Hardware is EtherChannel/LACP, BW 2000 Mbps, DLY 10 usec
Auto-Duplex(Full-duplex), 1000 Mbps(1000 Mbps)
Input flow control is unsupported, output flow control is off
Description: SR3548 vPC13
MAC address a46c.2a99.f9ac, MTU 1500
IP address 10.99.29.161, subnet mask 255.255.255.240
Traffic Statistics for "LAN":
40526665 packets input, 3271217428 bytes
32843572 packets output, 12355293991 bytes
1891643 packets dropped
1 minute input rate 49 pkts/sec, 3906 bytes/sec
1 minute output rate 41 pkts/sec, 14162 bytes/sec
1 minute drop rate, 2 pkts/sec
5 minute input rate 45 pkts/sec, 3636 bytes/sec
5 minute output rate 36 pkts/sec, 13628 bytes/sec
5 minute drop rate, 2 pkts/sec
Members in this channel:
Active: Gi1/1 Gi1/2
Interface GigabitEthernet1/1 "", is up, line protocol is up
Hardware is Accelerator rev01, BW 1000 Mbps, DLY 10 usec
Auto-Duplex(Full-duplex), 1000 Mbps(1000 Mbps)
Input flow control is unsupported, output flow control is off
Description: SR3548-01 Eth1/13
Active member of Port-channel1
MAC address a46c.2a99.f9ac, MTU 1500
IP address unassigned
45854494 packets input, 3856705876 bytes, 6757768 no buffer
Received 5 broadcasts, 0 runts, 0 giants
0 input errors, 0 CRC, 0 frame, 0 overrun, 0 ignored, 0 abort
0 pause input, 0 resume input
0 L2 decode drops
2830829 packets output, 1403672918089097 bytes, 0 underruns
0 pause output, 0 resume output
0 output errors, 0 collisions, 0 interface resets
0 late collisions, 0 deferred
0 input reset drops, 0 output reset drops
input queue (blocks free curr/low): hardware (929/873)
output queue (blocks free curr/low): hardware (1023/1009)
Interface GigabitEthernet1/2 "", is up, line protocol is up
Hardware is Accelerator rev01, BW 1000 Mbps, DLY 10 usec
Auto-Duplex(Full-duplex), 1000 Mbps(1000 Mbps)
Input flow control is unsupported, output flow control is off
Description: SR3548-02 Eth1/13
Active member of Port-channel1
MAC address a46c.2a99.f9ad, MTU 1500
IP address unassigned
8317440 packets input, 161926699 bytes, 6827898 no buffer
Received 4 broadcasts, 0 runts, 0 giants
0 input errors, 0 CRC, 0 frame, 0 overrun, 0 ignored, 0 abort
0 pause input, 0 resume input
0 L2 decode drops
30076475 packets output, 29132951497328700 bytes, 0 underruns
0 pause output, 0 resume output
0 output errors, 0 collisions, 0 interface resets
0 late collisions, 0 deferred
0 input reset drops, 0 output reset drops
input queue (blocks free curr/low): hardware (1000/893)
output queue (blocks free curr/low): hardware (1023/963)
Interface GigabitEthernet1/3 "GUEST", is up, line protocol is up
Hardware is Accelerator rev01, BW 1000 Mbps, DLY 10 usec
Auto-Duplex(Full-duplex), Auto-Speed(1000 Mbps)
Input flow control is unsupported, output flow control is off
Description: SW2960-01 Gi1/0/1
MAC address a46c.2a99.f9ae, MTU 1500
IP address 172.16.100.254, subnet mask 255.255.255.240
1313927589 packets input, 266036497 bytes, 1312320705 no buffer
Received 11433 broadcasts, 0 runts, 0 giants
0 input errors, 0 CRC, 0 frame, 0 overrun, 0 ignored, 0 abort
0 pause input, 0 resume input
0 L2 decode drops
1193931 packets output, 352723800044307 bytes, 0 underruns
0 pause output, 0 resume output
0 output errors, 0 collisions, 0 interface resets
0 late collisions, 0 deferred
0 input reset drops, 0 output reset drops
input queue (blocks free curr/low): hardware (896/853)
output queue (blocks free curr/low): hardware (1023/964)
Traffic Statistics for "GUEST":
1577149 packets input, 230525904 bytes
1193931 packets output, 127335594 bytes
484966 packets dropped
1 minute input rate 1 pkts/sec, 214 bytes/sec
1 minute output rate 1 pkts/sec, 115 bytes/sec
1 minute drop rate, 0 pkts/sec
5 minute input rate 1 pkts/sec, 162 bytes/sec
5 minute output rate 0 pkts/sec, 102 bytes/sec
5 minute drop rate, 0 pkts/sec
FW5506-01# sh asp drop
Frame drop:
No valid adjacency (no-adjacency) 1
Flow is denied by configured rule (acl-drop) 733226 => these values are incremented
First TCP packet not SYN (tcp-not-syn) 575
TCP failed 3 way handshake (tcp-3whs-failed) 1
TCP RST/FIN out of order (tcp-rstfin-ooo) 14
CTM returned error (ctm-error) 36
Slowpath security checks failed (sp-security-failed) 2638
FP L2 rule drop (l2_acl) 1807380 => these values are incremented
Interface is down (interface-down) 4
Dropped pending packets in a closed socket (np-socket-closed) 28
Last clearing: Never
Flow drop:
SSL handshake failed (ssl-handshake-failed) 39
CORE switch - vPC (2 x 3548 switches) => no errors
On each 3845 :
interface Ethernet1/13
speed 1000
description FW5506-ATH-DC-01 Gi1/1
switchport access vlan 903
spanning-tree port type normal
storm-control broadcast level 5.00
channel-group 13 mode active
no shutdown
On first core switch :
SR3548-01# sh int eth1/13
Ethernet1/13 is up
Dedicated Interface
Belongs to Po13
Hardware: 100/1000/10000/40000 Ethernet, address: 5897.bd0d.ed14 (bia 5897.bd0d.ed14)
Description: FW5506-01 Gi1/1
MTU 1500 bytes, BW 1000000 Kbit, DLY 10 usec
reliability 255/255, txload 1/255, rxload 1/255
Encapsulation ARPA
Port mode is access
full-duplex, 1000 Mb/s, media type is 1G
Beacon is turned off
Input flow-control is off, output flow-control is off
Rate mode is dedicated
Switchport monitor is off
EtherType is 0x8100
Last link flapped 1week(s) 3day(s)
Last clearing of "show interface" counters 10w6d
12 interface resets
Load-Interval #1: 30 seconds
30 seconds input rate 4088 bits/sec, 2 packets/sec
30 seconds output rate 20488 bits/sec, 19 packets/sec
Load-Interval #2: 5 minute (300 seconds)
input rate 3.03 Kbps, 2 pps; output rate 28.95 Kbps, 42 pps
RX
94594582 unicast packets 239170 multicast packets 141 broadcast packets
94833893 input packets 38952348556 bytes
0 jumbo packets 0 storm suppression bytes
0 runts 0 giants 0 CRC 0 no buffer
0 input error 0 short frame 0 overrun 0 underrun 0 ignored
0 watchdog 0 bad etype drop 0 bad proto drop 0 if down drop
0 input with dribble 0 input discard
0 Rx pause
TX
197729147 unicast packets 14 multicast packets 0 broadcast packets
197729161 output packets 19104211566 bytes
0 jumbo packets
0 output errors 0 collision 0 deferred 0 late collision
0 lost carrier 0 no carrier 0 babble 0 output discard
0 Tx pause
On second core switch :
SR3548-02# sh int eth1/13
Ethernet1/13 is up
Dedicated Interface
Belongs to Po13
Hardware: 100/1000/10000/40000 Ethernet, address: 5897.bd73.8a74 (bia 5897.bd73.8a74)
Description: FW5506-01 Gi1/2
MTU 1500 bytes, BW 1000000 Kbit, DLY 10 usec
reliability 255/255, txload 1/255, rxload 1/255
Encapsulation ARPA
Port mode is access
full-duplex, 1000 Mb/s, media type is 1G
Beacon is turned off
Input flow-control is off, output flow-control is off
Rate mode is dedicated
Switchport monitor is off
EtherType is 0x8100
Last link flapped 1week(s) 3day(s)
Last clearing of "show interface" counters 10w6d
8 interface resets
Load-Interval #1: 30 seconds
30 seconds input rate 103200 bits/sec, 26 packets/sec
30 seconds output rate 1544 bits/sec, 1 packets/sec
Load-Interval #2: 5 minute (300 seconds)
input rate 175.49 Kbps, 34 pps; output rate 1.05 Kbps, 0 pps
RX
68941914 unicast packets 239322 multicast packets 364 broadcast packets
69181600 input packets 27519919374 bytes
0 jumbo packets 0 storm suppression bytes
0 runts 0 giants 0 CRC 0 no buffer
0 input error 0 short frame 0 overrun 0 underrun 0 ignored
0 watchdog 0 bad etype drop 0 bad proto drop 0 if down drop
0 input with dribble 0 input discard
0 Rx pause
TX
8751455 unicast packets 139 multicast packets 4 broadcast packets
8751598 output packets 898151323 bytes
0 jumbo packets
0 output errors 0 collision 0 deferred 0 late collision
0 lost carrier 0 no carrier 0 babble 0 output discard
0 Tx pause
Why there is packets drop on port channel ?
Best regard.
Solved! Go to Solution.
12-16-2015 08:10 AM
Hello
packet drops on ASA interface is expected - these drops include security/ACL related drops. See link below.
hth
Andy
http://www.cisco.com/c/en/us/support/docs/security/asa-5500-x-series-next-generation-firewalls/113680-pdc-show-output.html
12-16-2015 08:10 AM
Hello
packet drops on ASA interface is expected - these drops include security/ACL related drops. See link below.
hth
Andy
http://www.cisco.com/c/en/us/support/docs/security/asa-5500-x-series-next-generation-firewalls/113680-pdc-show-output.html
Discover and save your favorite ideas. Come back to expert answers, step-by-step guides, recent topics, and more.
New here? Get started with these tips. How to use Community New member guide